File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes How do I secure only my login page?  Please help! Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "How do I secure only my login page?  Please help!" Watch "How do I secure only my login page?  Please help!" New topic
Author

How do I secure only my login page? Please help!

Jeff Osborn
Greenhorn

Joined: Jun 12, 2006
Posts: 8
Thank you in advance for your help as I have been looking for an answer to this problem for more than a week now. I have seen this question all over the net, but never an answer.

What I want to know is, is there a standard way (vender neutral) to use the container authentication to redirect the user to a secure login page (via SSL) and then once the user authenticates return to a not-SSL application? Basically, how do you make only the login page use SSL and all of the rest of my app use standard http?

I am using FORM authentication method….
<login-config>
<auth-method>FORM</auth-method>
<realm-name>UserDatabase</realm-name>
<form-login-config>
<form-login-page>/simpleFormLogin.jsp</form-login-page>
<form-error-page>/simpleFormLoginFailed.jsp</form-error-page>
</form-login-config>
</login-config>

What I would like to see happen is when I go to simpleFormLogin.jsp I use SSL (https//…) on the page and on the post to the j_security_check URL so that the password is encrypted. Then when it redirects back to the page the user originally requested, which could be any page in the app, it goes back to a non-SSL request (i.e.. http://...).

Maybe I am missing something easy, or maybe it can’t be done in a “standard way”? I also realize the security implications, but these are the requirements given to me, and I have to live with them.

I have even tried to rewrite the j_security_check URL in the form when the simpleFormLogin.jsp is built to go to https//…./j_security_check. Using Tomcat, that sent the form via SSL, but then when the original user requested page comes up it is still using SSL, Doh!!!

I really don’t want to put a bunch of onLoad javascript to check for a secure connection (request.isSecrureConnection) and redirecting to the non-SSL version of the page. I’m thinking that dealing with all of the request params etc. is more than you should be wrangling in javascript, as well as the possibility of a double commit of data changes (in the case where you submit a change and time out, login, put up the secure page (commit #1), and redirect to the non-secure page (commit #2)).

Anyway, your help would be greatly appreciated by me and others who are trying to solve this problem.

Thank you in advance,

Jeff


Jeff Osborn<br />Procelerate Technologies<br /><a href="http://procelerate.com" target="_blank" rel="nofollow">procelerate.com</a>
A bheja
Greenhorn

Joined: Mar 17, 2009
Posts: 1
I have been looking for this information as well. I am now able to allow/block extensions through <security-constraint> but am not able to pick and chose secure/non-secure pages. I found a lot of pages that confirms you can do it but none that has any specific examples. I have been reading about rewrite rules but have not been able to located anything related to our topic.

Please let me know if you have found something.

Thanks!

"For a reasonably busy site, it is customary to only run certain pages under SSL, namely those pages where sensitive information could possibly be exchanged. This would include things like login pages, personal information pages, and shopping cart checkouts, where credit card information could possibly be transmitted. Any page within an application can be requested over a secure socket by simply prefixing the address with https: instead of http:. Any pages which absolutely require a secure connection should check the protocol type associated with the page request and take the appropriate action if https is not specified."
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
Jeff Osborn
Greenhorn

Joined: Jun 12, 2006
Posts: 8
Hi,

Sorry I did not re-post, but I got yanked onto something else before I worked all of the bugs out of my solution. However, I can give you a pointer to the solution and if you get there before I get back to it, then please do post the full solution for everyone.

This thread...
http://tomcat.markmail.org/message/vbp4uo7czjyzuehn?q=SSL+just+on+login+page#query:SSL%20just%20on%20login%20page+page:1+mid:erkojom75k4baqmi+state:results

shows the web.xml for setting this up (a secure area, a non-secure area). The trick is this redirector filter. You see there are two things going on here. First is the password redirect by the container, the second is the security constraint on the secure area. What the redirect does is that it sends it through the xml logic to say “oh yes, I need to switch to https because this is going to a secure area”, and tada it works! If you don’t redirect it just goes to that page via http.

The real trick then, is to revert back to http, and for that I implemented a second filter that rebuilds the URL with http.... and redirect to that, for any page that is not the login page and has a req.getScheme() equal to "https" . I got that working in pre-pre-prototype code, but I thought I got it to work before getting yanked off.
Here is the code for the RevertFromHttpsToHttpFilter to swap back (remember it is very rough, so don't slam me for putting it out here, I am just trying to help)



You will want to add the request parameters and you will have to initialize the RevertFromHttpsToHttpFilter with the httpPortNumber. Here is what I have in my web.xml



You should have enough info, between that and the link I gave you.

Good luck, and let us know how it goes,

Jeff
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: How do I secure only my login page? Please help!
 
Similar Threads
action="j_security_check"
Basic form-based authentication question...
j_security_check 404 error
forms authentication (j_security_check) with JSF
How to specify j_uri