aspose file tools*
The moose likes JSP and the fly likes Using https for certain JSP Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Using https for certain JSP" Watch "Using https for certain JSP" New topic
Author

Using https for certain JSP

Akhil Kashyap
Greenhorn

Joined: Feb 12, 2010
Posts: 17
Hi,

I am working on a web application the environment for which is as mentioned below:

JSP/Servlet
EJB 2.0
MS SQL Server 2000
JBoss 3.2

As of now this app is using http protocol but now I have to develop a new page in this app which should be secure i.e. should use https instead of http.

I have searched and found ways to move entire web app from http to https.

But I need only certain pages to use https. Can some one guide me how to make certain JSPs secured ?

Thanks & Regards,
Akhil.
Devaka Cooray
ExamLab Creator
Saloon Keeper

Joined: Jul 29, 2008
Posts: 3220
    
  49

<url-pattern> of <web-resource-collection> does what you want. However, securing an exact JSP doesn't look a reasonable approach, as you might not be securing the data after the submission. On the other hand, having a .jsp file directly exposed also implies that you didn't use a proper MVC approach. A better idea would be securing a specific context with a url pattern, and placing all your sensitive data into it.



Author of ExamLab ExamLab - a free SCJP / OCPJP exam simulator
What would SCJP exam questions look like? -- Home -- Twitter -- How to Ask a Question
Akhil Kashyap
Greenhorn

Joined: Feb 12, 2010
Posts: 17
Thanks Devaka Cooray :) for guiding me.

I am trying in light of what you have told me and will let you know.


Thanks & regards,
Akhil.
Akhil Kashyap
Greenhorn

Joined: Feb 12, 2010
Posts: 17
Hi,

I am successful to secure certain pages using

in web.xml.

My JBoss is listening for http requests on port 80 and for https on port 443.

Below is excerpt of my Jboss-3.2.2RC3\server\default\deploy\jbossweb-tomcat41.sar\META-INF\jboss-service.xml



But now for example page abc.jsp is secured by "<transport-guarantee>" so when this page is requested url gets changed to "https://localhost/jsp-folder/abc.jsp" (which is expected)
and now if user opts for say xyz.jsp which is not secured by "<transport-guarantee>" yet the url remains "https://localhost/jsp-folder/xyz.jsp". (not expected)

Can any one guide is there something I am missing so that non-secure pages can be accessed using http?

Thanks & regards,
Akhil.
Akhil Kashyap
Greenhorn

Joined: Feb 12, 2010
Posts: 17
Hi,

Finally I am successful to get certain pages opened via https and others via http.

I have achieved this using filter and a list containing list of jsp pages which should be accessed using https.

Now filter was constatntly intercepting the request and checking the uri against the list of secure pages.


Thanks & regards,
Akhil.
renuka metukuru
Greenhorn

Joined: May 23, 2012
Posts: 2
Hi,

I have the same requirement. In my application i have to make one of the jsp as secure.. So I have followed the procedure given below i.e defining security-constraint tag and define the jsp url pattern in that.

Now whenever request is made to that jsp, it turns as secure. i mean https request. Now the problem is, when the request is forwarded/action is submitted to other resource from this secured jsp, the other resource also opened as secure. is it expected? how to get rid of this.

Thanks
MRK
renuka metukuru
Greenhorn

Joined: May 23, 2012
Posts: 2
HI Akhil,

I am able to make certain page as https. But its not redirecting from https to http. Please provide the details on how to redirect from https to http.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16250
    
  21

Hi Renuka, welcome to the JavaRanch!

You should have looked at the date of that message thread. It's rather old. A problem with reviving old message threads ("awakening a zombie") is that the people who were discussing it may no longer be interested. For really old threads, they might not even have the same employers any more or the same job needs. It's better to just start a new thread of your own.

One of the things that happens when you switch from HTTP transport to HTTPS is that a new, secure sessionID is created and the original nonsecure sessionID is discarded. So there's some overhead involved. Generally speaking once you enter HTTPS you want to stay there. First, because of the switching overhead and secondly because it's harder to stay really secure if you keep switching secure transport on and off.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Using https for certain JSP