aspose file tools*
The moose likes Servlets and the fly likes How to use https for login only? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to use https for login only?" Watch "How to use https for login only?" New topic
Author

How to use https for login only?

Gaurav Purandare
Greenhorn

Joined: Apr 06, 2009
Posts: 19
Hello,

I am trying to use https for sending login information from client to server; but after the client is authenticated he should be redirected to his home page using http.
Using https for rest of the pages is unnecessary.

I am not sure if it is possible to do this, Also I am not sure how the session information communicated to the client using https can be utilized for http requests, the cookie would be encrypted, right?

Any links to resources related to this issue would be help-full.

Gaurav
Marco Ehrentreich
best scout
Bartender

Joined: Mar 07, 2007
Posts: 1282

Hi Gaurav,

you have do define a <security-constraint> element in your web.xml descriptor with a nested <user-data-constraint> to define <transport-
guarantee> "CONFIDENTIAL", which means secure/HTTPS. The <security-constraint> accepts the well-known URL patterns in the descriptor which should be defined accordingly to your login page.

But be careful, if you use HTTP basic authentication the password is re-transmitted for any page which requires authentication. If you use this form of authentication, the user password would only be secured during login!

Marco
Mukesh Ranjan
Greenhorn

Joined: Jun 24, 2009
Posts: 22
Marco Ehrentreich wrote:Hi
It will be good if you provide one example on that


Marco Ehrentreich
best scout
Bartender

Joined: Mar 07, 2007
Posts: 1282

Did you mean an example how to configure the web.xml descriptor? I think here's an understandable example which configures the security features for every URL machting the "/private/*" pattern. Only users with the role "cms_editors" are allowed for this URL pattern and the <transport-guarantee> "CONFIDENTIAL" means that the user data should be secured which is typically done via SSL/TLS encryption on top of HTTP, i.e. by using the HTTPS protocol.

I think you'll find lots of other examples using Google ;-)

Marco
Leonardo Carreira
Ranch Hand

Joined: Apr 07, 2009
Posts: 489

Hi all..

This post is interesting to me...

how to enabling SSL in Tomcat v6?..
Sorry for basic question...

Thanks in advance..

Sorry, perhaps my english language isn't too good.. Prepare for SCJP 6, Please God help me.. ☼
References : [Java.Boot] [JavaChamp] [JavaPrepare]
Marco Ehrentreich
best scout
Bartender

Joined: Mar 07, 2007
Posts: 1282

Hi Leonardo,

although it's a little bit off-topic the basic steps are:

1) decide which SSL engine to use (Tomcat's own or OpenSSL based)
2) create a Java keystore or X.509 depending on the SSL engine you want to use
3) configure Tomcat to use SSL and the said keystore/certifiacte

I'd start with Tomcat's own SSL implementation. In the "bin/" directory of your JDK is a binary called "keytool" which you can use to create a keystore. Then in the usual Tomcat server.xml config There's already a basic starting configuration for SSL which is only commented out.

If you use Google a little bit, I'm sure you can figure the rest out yourself. If you're still having problems, feel free to ask! Besides I'm very, very sure this questions has already been asked in the Tomcat forum ;-)


Marco
Leonardo Carreira
Ranch Hand

Joined: Apr 07, 2009
Posts: 489

How about Tomcat's own SSL?..
what is the weaknesses of Tomcat's own SSL usage?..

Thanks in advance..
Marco Ehrentreich
best scout
Bartender

Joined: Mar 07, 2007
Posts: 1282

Sorry, I don't know much details, but OpenSSL is a native library available for many operating systems and I think this could be a small improvement in performance. I guess security is not an issue as long as there's no bug in the implementation (which could be in Tomcat and OpenSSL as well).

If the main reason is performance I think you should forget about the difference and use Tomcat's own SSL support as it works out of the box. With any normal web application with a database backend and no requirements for real high speed or many, many users you probably won't notice any difference as the database and network latency will make requests much slower than the performance gain of a few milliseconds you'd get by using OpenSSL.

Perhaps anyone else know more details about the difference...

Marco
Gaurav Purandare
Greenhorn

Joined: Apr 06, 2009
Posts: 19
Hello Marco,

Marco Ehrentreich wrote:
you have do define a <security-constraint> element in your web.xml descriptor with a nested <user-data-constraint> to define <transport-
guarantee> "CONFIDENTIAL", which means secure/HTTPS. The <security-constraint> accepts the well-known URL patterns in the descriptor which should be defined accordingly to your login page.


As you said, we have to change the web.xml to employ security ("CONFIDENTIAL") for all the resources following certain url pattern. For doing this we need
to add certificate or keystore.

So when the user accesses say "login.htm" page, the communication is carried over http i.e it does not require any authentication for acccesing this page, but when the user clicks on "login" he goes to "authentication page" which carries out the authetication using https and if the user is authentic he sets session cookie and redirects the page to say "home.htm" else an "error page" is displayed. Henceforth the communicationn takes place using http.
In this scenario only the "authetication page" needs to be secure.

I am not sure if i am right, would you please clarify it a bit furthur.

Thank you.
Marco Ehrentreich
best scout
Bartender

Joined: Mar 07, 2007
Posts: 1282

OK, first it should be clear that authentication and is not the same as securing the data transport!

Authentication is the process of determining the user's identity. This should be done by the container (Tomcat) and is configured with the <auth-constraint> element sitting on the same level as the <user-data-constraint> element which will be used for securing the data. You can chose between different authentication mechanisms (HTTP basic or digest authentication, form login) which is in your case most probably a form login on the login page. Tomcat automatically redirects to this page if the user tries to access another page which requires an authenticated user. The pages which need authentication are defined via an URL pattern(s) inside a <web-resource-collection> element. Note: all the side elements are inside a <security-constraint> element.

Securing data transport with SSL is another thing. This is needed to protect the data transferred between the browser and web server. It works similar to authentication in regard to the definition of one or more URL patterns which should be protected. With a normal web application you usually define a <user-data-constraint> element which configures what kind of of security is needed. Usually you will define <transport-guarantee>CONFIDENTIAL</transport-guarantee> where "confidential" means SSL encryption for virtually all web applications (although other settings would be possible).

So you have to configure the authentication part to trigger authentication for any page (or all pages) which should only be accessed by a user who has logged in correctly.

Additionally you declare confidential data transport for the same or other pages or only the login page which instructs Tomcat to redirect the browser to a HTTPS URL schema when such a page is accessed.

Have a look at Sun's documentation for a more detailed explanation of all the configuration elements ;-) It's hard to explain this here in text mode how all the elements fit together and are nested inside each other.

As warning I already told you that it's NOT sufficient to use SSL only for the login page IF you use HTTP basic authentication (this is the well-known popup where the browser asks you for a username or password). This would be insecure because the password, which is almost in cleartext, is not only transmitted to the login page but to all subsequent pages which require authentication. You DON'T have to worry about this if you have an extra login page with some form to type in the username and password.

I hope this helps, but as an advice read the documentation to fully understand what you're doing here!

Marco
Gaurav Purandare
Greenhorn

Joined: Apr 06, 2009
Posts: 19
Thank you for clearing that up, I will read through the documentation as advised and will get back to you if needed.
Marco Ehrentreich
best scout
Bartender

Joined: Mar 07, 2007
Posts: 1282

You're welcome!

And of course feel free to ask if there are questions! The topic is just a little bit too big to explain it here in detail without creating a complete sample application. But that is surely nothing which would help you to learn how it works. And I thinks the deployment descriptor is an important thing everyone should know who's working on Java based web applications ;-) Give it a try, it's not too hard!

Marco
Mukesh Ranjan
Greenhorn

Joined: Jun 24, 2009
Posts: 22
Mukesh Ranjan wrote:
Here we need to create one ssl certificate and application server will be required to configure for ssl/https communication.
After that the web.xml will required a mapping for <security-constraint ....... where we will put the url and transport guarantee will set to 'confidential'..
Lets try one for sample..
Hopefully it should work..
>
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to use https for login only?