Our requirement is that we need to restrict access to JSPs/HTMLs eg myjsp1.jsp , myjsp2.jsp etc. The username/password in the login page should be protected by SSL when they are transmitted back to the server, but the actual resources myjsp1.jsp and myjsp2.jsp do not need to be protected by SSL. But looking through the relevant security elements in web.xml, it seems that the only way that the username/password from the login page can be protected by SSL is that myjsp1.jsp and myjsp2.jsp must also be protected by SSL. Can anyone please suggest a way so that only login page is secured.
In theory you can set it up so that only the j_security_check page is encrypted. When the login page goes to submit the data to the j_security_check page, it notices that it is encrypted and must therefore negotiate a secure connection before sending the username/password. After the j_security_check pages is completed, it redirects to the originally requested page, which will not be encrypted. I think. We tend to do all-or-nothing HTTPS, so that the entire site is encrypted or none is. But then any site we build with authentication typically has access to member details, and this is the real driver for the encryption, not just the login screen. Dave
Hari RamKrish
Greenhorn
Joined: Feb 10, 2003
Posts: 5
posted
0
Dave, thanks for your reply. The reason why we want to protect only the login page is that all the other pages are not confidential in nature and transmission of all the resources using https is slow. But the password entered by the user in the login page must be protected by ssl. We checked the Servlet 2.2 specification, and saw that the <login-config> element can only contain the following sub-elements (auth-method, realm-name, form-login-config). <form-login-config> can only contain (form-login-page, form-error-page) Our <login-config> looks like this: <login-config> <auth-method>FORM</auth-method> <realm-name>TestApp</realm-name> <form-login-config id="FormLoginConfig_1"> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.html</form-error-page> </form-login-config> </login-config>
There does not seem to be any subelement in <login-config> that can specify SSL protection for the login page only. Correct me if I am wrong, to my understanding the <user-data-constraint> element containing the <transport-guarantee> applies to all the web resources specified inside the <web-resource-collection> and if I set <transport-guarantee> to confidential, it would apply to all web resources as well as the login page.
Is there is any different way to achieve this ? [ February 11, 2003: Message edited by: Hari RamKrish ]
Yep, correct so far. Then in your login.jsp, set the page that you post the login data to as https://yourdomain.com/j_security_check rather than http://yourdomain.com/j_security_check (or just j_security_check) Even though the contents of your login.jsp page won't be secured, the username and password will be encrypted in order for them to be sent to the secured j_security_check. I haven't tried it, but in theory it should work.
Patrick Finnegan
Ranch Hand
Joined: Mar 05, 2002
Posts: 179
posted
0
You are approching this from completely the wrong angle. SSL protection is configured at the web server(Apache) level which is why you cannot find any SSL web.xml options. You simply need to configure a pattern match in the Apache config file on the URI requests and search for login.jsp. Only requests containing the string "login.jsp" are redirected to https. e.g. RewriteCond %{REQUEST_URI} ^/login.jsp RewriteRule /login.jsp/* https://www.yourcompany.com/Login.jsp [R=301,L] If you need to configure https for the whole JAVA application then you could pattern match on the context root. RewriteCond %{REQUEST_URI} ^/APPCONTEXTROOT/* RewriteRule /APPCONTEXTROOT/* https://www.yourcompany.com/APPCONTEXTROOT [R=301,L] Remember your java app is supposed to be portable across environments and it may need to run in an installation with no SSL configured so don't code anything that is SSL dependent.
Gergely Dombi
Greenhorn
Joined: Jan 12, 2003
Posts: 11
posted
0
hi we are building a similar application (in the sense that we want to put the login page under ssl but not the whole app) can u pls tell some resources where i can read more on the ssl configuration of the ibm http server thx a lot Geregly
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to
run our stuff on 16 servers instead of 3.
0
