aspose file tools*
The moose likes Servlets and the fly likes From https BACK to http? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "From https BACK to http?" Watch "From https BACK to http?" New topic
Author

From https BACK to http?

Dave Wood
bronco
Ranch Hand

Joined: Aug 02, 2004
Posts: 161
I hate that I don't know this and can't seem to find much discussion on it anywhere...hoping someone here can help.

If I use something like this in my web.xml:

...all is fine. The server automatically redirects this page to https. Lovely.

But what's the "right" way to get the user BACK over to plain http after that? I want the CC information entered on that page to go over SSL, of course, but after that, I want to switch back to straight http.

Thanks much.


Co-Author of <a href="http://www.oreilly.com/catalog/jswing2" target="_blank" rel="nofollow">Java Swing</a><br />Co-Creator of <a href="http://www.sun.com/training/catalog/courses/CX-310-055.xml" target="_blank" rel="nofollow">SCJP 5.0</a> and <a href="http://www.sun.com/training/certification/java/associate_beta.xml" target="_blank" rel="nofollow">SCJA</a> exams
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12681
    
    5
Just glancing over the API, it looks like any resource other than that one jsp file should not trigger the security-constraint. Naturally you would have to have the user follow a link that used "http" instead of "https".
What have you actually tried?
Bill


Java Resources at www.wbrogden.com
Dave Wood
bronco
Ranch Hand

Joined: Aug 02, 2004
Posts: 161
Thanks Bill.

You are definitely correct that if I make an explicit http link, that will take care of it...but that's not quite what I want.

I'm submitting a form (with, say, CC information), so I want that submission to be secure. However, the subsequent page should not be secure. I'm sure I can make this work with proper forwarding after processing the form submission, I was just hoping/thinking that there might be a declarative way to get this to happen without having to dirty up the servlet code with knowledge of such things.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12681
    
    5
I'm sure I can make this work with proper forwarding after processing the form submission,

It sounds like you thinking about changing the connection for a given request from https to http in mid request by some sort of forwarding magic. That is impossible, once created as a https connection, you can't change it.

You could redirect (NOT forward) to a http URL - that would cause the client to make a new request which can be insecure. What is the object of making the switch back to http?
Bill
Dave Wood
bronco
Ranch Hand

Joined: Aug 02, 2004
Posts: 161
Well, I think I was basically just being an idiot and not thinking the problem through very well.

I got it in my head that was common practice that after submitting data from a secure page, you were returned to a non-secure page...so I got set on doing that. But your point is dead-on -- it doesn't make sense for it to work this way since there's only one request/response in this scenario.

The correct solution, it seems, is to make sure any subsequent links (from the "thanks for paying" page) are straight http links (your point in your first response). This way you can switch back to http for any further non-secure activity.

Thanks again.

Dave
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: From https BACK to http?
 
Similar Threads
web.xml security-constraint question
http https switch
Switching from HTTPS back to HTTP
Filters
Switch back to HTTP after HTTPS page