Hi, I need to protect a bunch of jsps which need to be accessed only when somebody logs in to the application and prevent users from directly typing in the URL with http://hostname/anypage.jsp instead of https://hostname/anypage.jsp. How can I acheive this? I am using IIS as the web server and IBM Websphere4.0 as the application server. Right now once an user logs in, the user is redirected to an application.jsp page through a servlet(the url is https://hostname/application.jsp). Once you get to this page, the user is able to type in http://hostname/application.jsp and able to continue with the proces. I want to show an user the error page when the user types in http:// instead of https:// How can I acheive this? How to protect those files? How can I 'sslProtect' these JSP files? Can any one help me to solve this............ I have looking at the Websphere documentation and all places on the web but haven't been to see any documentation or help. Thanks in advance for all the help. Chuck Meduri
Hi, You can secure the application in many ways. I am suggesting a simple and easy way. 1. a ). Keeping a session variable in session in the login servlet b). In all the jsps check for the variable which you placed in the session. If it exists, then continue else redirect to error page. This can be achieved by using an authorisation jsp (Using jsp:include tag )which checks the session variable, if the variable doesn't exist, then just it will redirect to error page. Check whether this works.
The decision is always a trade-off, but if you are trying to protect enough pages I would recommend using configuration-based authentication rather than programatic declaration. If you only have a few pages that a user needs to be logged in for, there isn't a large overhead to pasting the same code into each JSP. If there are heaps then it becomes more problematic and its a lot easier to configure the server to say "These pages here are secured". Have a look at BASIC or FORM-based authentication. The 'HTTP' versus 'HTTPS' problem can also be managed via explicit code or configuration. In the web.xml file, you can specify that the security for a set of resources is CONFIDENTIAL in the transport-guarantee tag. If this resource is requested under an unsecure protocol, the server witth send them the https version rather than the http version. Dave