Hi all, I'm trying to find the most elegant and simple way to restrict access to my web content and I'd like to have your opinion on how to make it better or how other solve similar tasks.
The situation is: My web-site (Tomcat 5.5/JBoss) has 50% of pages with access restricted by declarative security in deployment descriptor. I use web container authorization (BASIC or FORM-based). Many of my prospective web-clients have old PCs with old web-browsers, so I consider usage of SSL everywhere is not a good idea. Neither DIGEST authentication is.
Therefore, I want to secure with SSL only the stage of authorization. I realize that in this case the restricted content is not secure, but the information is not confidential. Only user's login and password are. How should I do that?
The problem is that web container intersepts the request to the restricted content and tries to authorize the client via BASIC or FORM methods, but they are not secure, as the page where interception happens may be accessed not via SSL! And, therefore, all authorization interaction with client is not encrypted too.
I found an ugly trick - in FORM-based authentication I changed the action of my login form to "https://j_security_check" - this ensures that login/password are sent via encrypted channel, but upon successfull authentication Tomcat brings you back not to the page originally requested: "http://mypage.jsp", but to "httpS://mypage.jsp"!!! I.e it does not switch back from SSL to unencrypted connection. In order to avoid this I can assign a special servlet filter to all pages with the restricted, but unencrypted contents, so that this filter will change httpS to http, but this is quite an ugly way, isn't it?
Can you share some better ideas how to organize this? I just don't want to write my own security system while we have one allready.