I hate that I don't know this and can't seem to find much discussion on it anywhere...hoping someone here can help.
If I use something like this in my web.xml:
...all is fine. The server automatically redirects this page to https. Lovely.
But what's the "right" way to get the user BACK over to plain http after that? I want the CC information entered on that page to go over SSL, of course, but after that, I want to switch back to straight http.
Co-Author of <a href="http://www.oreilly.com/catalog/jswing2" target="_blank" rel="nofollow">Java Swing</a><br />Co-Creator of <a href="http://www.sun.com/training/catalog/courses/CX-310-055.xml" target="_blank" rel="nofollow">SCJP 5.0</a> and <a href="http://www.sun.com/training/certification/java/associate_beta.xml" target="_blank" rel="nofollow">SCJA</a> exams
Just glancing over the API, it looks like any resource other than that one jsp file should not trigger the security-constraint. Naturally you would have to have the user follow a link that used "http" instead of "https". What have you actually tried? Bill
Joined: Aug 02, 2004
You are definitely correct that if I make an explicit http link, that will take care of it...but that's not quite what I want.
I'm submitting a form (with, say, CC information), so I want that submission to be secure. However, the subsequent page should not be secure. I'm sure I can make this work with proper forwarding after processing the form submission, I was just hoping/thinking that there might be a declarative way to get this to happen without having to dirty up the servlet code with knowledge of such things.
Author and all-around good cowpoke
Joined: Mar 22, 2000
I'm sure I can make this work with proper forwarding after processing the form submission,
It sounds like you thinking about changing the connection for a given request from https to http in mid request by some sort of forwarding magic. That is impossible, once created as a https connection, you can't change it.
You could redirect (NOT forward) to a http URL - that would cause the client to make a new request which can be insecure. What is the object of making the switch back to http? Bill
Joined: Aug 02, 2004
Well, I think I was basically just being an idiot and not thinking the problem through very well.
I got it in my head that was common practice that after submitting data from a secure page, you were returned to a non-secure page...so I got set on doing that. But your point is dead-on -- it doesn't make sense for it to work this way since there's only one request/response in this scenario.
The correct solution, it seems, is to make sure any subsequent links (from the "thanks for paying" page) are straight http links (your point in your first response). This way you can switch back to http for any further non-secure activity.