I do not recommend flip-flopping between SSL and non-SSL. You can end up exposing critical data, since presumably, the reason you entered SSL mode to begin with was to access secure information that would be exploitable on an open channel. And as a consequence of entering secure transport mode, Tomcat will have changed your session ID.
I haven't actually paid as much attention to the details as I might have, since this is one of these mechanisms that "just works" and there are too many other mechanisms that don't, but my impression is that once you enter SSL, you're going to stay there, even on pages not tagged for secure transport, at least unless you explicitly request otherwise (URLs beginning with "http" instead of "https"). But if you do and you manage to use the SSL-based sessionID, you will definitely have a possible exploit point.
An IDE is no substitute for an Intelligent Developer.
Joined: Mar 21, 2010
Thanks for your replies. The reason for just one page without SSL is for specific purpose which I have no control over.
How can I force all webpages to go to SSL except noSSL.jsp?
Please help. Thanks.
Joined: Mar 22, 2005
You can check whether it is being accessed via SSL in the page controller (however that is implemented - you should not access JSPs directly), and do a redirect to the non-SSL URL if it is. I don't think there's a way to tell Tomcat to do that by itself. If the Tomcat is fronted by an Apache, then this would be trivial using the mod_rewrite module.
The web.xml deployment descriptor can be used to enforce SSL or permit non-SSL by writing appropriate transport guarantees paired with URL patterns. I'm not aware offhand of how application program logic could reliably determine whether the received URL came in via HTTP or HTTPS. By the time the app gets the data it's no longer encrypted (if it ever was) and I suspect that an "https" on the front of the URL can be faked, but with proper container enforcement, it doesn't matter.
I do have JSPs that are not controller-backed, but that's because they're too trivial to have business logic in them. Stuff like "Hello" pages. So it's relatively easy for me to set up useful URL patterns. Apps that jump straight into heavy processing would need a Controller.
And yet one more reason why I encourage use of the built-in J2EE container security over DIY login/access systems is that the container can handle all of this as a seamless unit.
Joined: Mar 21, 2010
I finally managed to do it. Append the following to the project's web.xml:
only sub/noSSL.jsp has no SSL. All others webpages in the project has SSL.