Thank you in advance for your help as I have been looking for an answer to this problem for more than a week now. I have seen this question all over the net, but never an answer.
What I want to know is, is there a standard way (vender neutral) to use the container authentication to redirect the user to a secure login page (via SSL) and then once the user authenticates return to a not-SSL application? Basically, how do you make only the login page use SSL and all of the rest of my app use standard http?
I am using FORM authentication method….
What I would like to see happen is when I go to simpleFormLogin.jsp I use SSL (https//…) on the page and on the post to the j_security_check URL so that the password is encrypted. Then when it redirects back to the page the user originally requested, which could be any page in the app, it goes back to a non-SSL request (i.e.. http://...).
Maybe I am missing something easy, or maybe it can’t be done in a “standard way”? I also realize the security implications, but these are the requirements given to me, and I have to live with them.
I have even tried to rewrite the j_security_check URL in the form when the simpleFormLogin.jsp is built to go to https//…./j_security_check. Using Tomcat, that sent the form via SSL, but then when the original user requested page comes up it is still using SSL, Doh!!!
Anyway, your help would be greatly appreciated by me and others who are trying to solve this problem.
Thank you in advance,
Jeff Osborn<br />Procelerate Technologies<br /><a href="http://procelerate.com" target="_blank" rel="nofollow">procelerate.com</a>
I have been looking for this information as well. I am now able to allow/block extensions through <security-constraint> but am not able to pick and chose secure/non-secure pages. I found a lot of pages that confirms you can do it but none that has any specific examples. I have been reading about rewrite rules but have not been able to located anything related to our topic.
Please let me know if you have found something.
"For a reasonably busy site, it is customary to only run certain pages under SSL, namely those pages where sensitive information could possibly be exchanged. This would include things like login pages, personal information pages, and shopping cart checkouts, where credit card information could possibly be transmitted. Any page within an application can be requested over a secure socket by simply prefixing the address with https: instead of http:. Any pages which absolutely require a secure connection should check the protocol type associated with the page request and take the appropriate action if https is not specified."
Joined: Jun 12, 2006
Sorry I did not re-post, but I got yanked onto something else before I worked all of the bugs out of my solution. However, I can give you a pointer to the solution and if you get there before I get back to it, then please do post the full solution for everyone.
shows the web.xml for setting this up (a secure area, a non-secure area). The trick is this redirector filter. You see there are two things going on here. First is the password redirect by the container, the second is the security constraint on the secure area. What the redirect does is that it sends it through the xml logic to say “oh yes, I need to switch to https because this is going to a secure area”, and tada it works! If you don’t redirect it just goes to that page via http.
The real trick then, is to revert back to http, and for that I implemented a second filter that rebuilds the URL with http.... and redirect to that, for any page that is not the login page and has a req.getScheme() equal to "https" . I got that working in pre-pre-prototype code, but I thought I got it to work before getting yanked off.
Here is the code for the RevertFromHttpsToHttpFilter to swap back (remember it is very rough, so don't slam me for putting it out here, I am just trying to help)
You will want to add the request parameters and you will have to initialize the RevertFromHttpsToHttpFilter with the httpPortNumber. Here is what I have in my web.xml
You should have enough info, between that and the link I gave you.