File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Websphere and the fly likes Securing only login page Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Websphere
Bookmark "Securing only login page" Watch "Securing only login page" New topic

Securing only login page

Hari RamKrish

Joined: Feb 10, 2003
Posts: 5
Our requirement is that we need to restrict access to JSPs/HTMLs eg myjsp1.jsp , myjsp2.jsp etc. The username/password in the login page should be protected by SSL when they are transmitted back to the server, but the actual resources myjsp1.jsp and myjsp2.jsp do not need to be protected by SSL. But looking through the relevant security elements in web.xml, it seems that the only way that the username/password from the login page can be protected by SSL is that myjsp1.jsp and myjsp2.jsp must also be protected by SSL. Can anyone please suggest a way so that only login page is secured.
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

In theory you can set it up so that only the j_security_check page is encrypted.
When the login page goes to submit the data to the j_security_check page, it notices that it is encrypted and must therefore negotiate a secure connection before sending the username/password.
After the j_security_check pages is completed, it redirects to the originally requested page, which will not be encrypted.
I think. We tend to do all-or-nothing HTTPS, so that the entire site is encrypted or none is. But then any site we build with authentication typically has access to member details, and this is the real driver for the encryption, not just the login screen.
Hari RamKrish

Joined: Feb 10, 2003
Posts: 5
Dave, thanks for your reply.
The reason why we want to protect only the login page is that all the other pages
are not confidential in nature and transmission of all the resources using https
is slow. But the password entered by the user in the login page must be protected
by ssl.
We checked the Servlet 2.2 specification, and saw that the <login-config> element
can only contain the following sub-elements (auth-method, realm-name, form-login-config).
<form-login-config> can only contain (form-login-page, form-error-page)
Our <login-config> looks like this:
<form-login-config id="FormLoginConfig_1">

There does not seem to be any subelement in <login-config> that can specify SSL protection
for the login page only.
Correct me if I am wrong, to my understanding the <user-data-constraint> element
containing the <transport-guarantee> applies to all the web resources specified
inside the <web-resource-collection> and if I set <transport-guarantee> to
confidential, it would apply to all web resources as well as the login page.

Is there is any different way to achieve this ?
[ February 11, 2003: Message edited by: Hari RamKrish ]
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

Yep, correct so far.
Then in your login.jsp, set the page that you post the login data to as rather than (or just j_security_check)
Even though the contents of your login.jsp page won't be secured, the username and password will be encrypted in order for them to be sent to the secured j_security_check.
I haven't tried it, but in theory it should work.
Patrick Finnegan
Ranch Hand

Joined: Mar 05, 2002
Posts: 179
You are approching this from completely the wrong angle. SSL protection is configured at the web server(Apache) level which is why you cannot find any SSL web.xml options. You simply need to configure a pattern match in the Apache config file on the URI requests and search for login.jsp. Only requests containing the string "login.jsp" are redirected to https.
RewriteCond %{REQUEST_URI} ^/login.jsp
RewriteRule /login.jsp/* [R=301,L]
If you need to configure https for the whole JAVA application then you could pattern match on the context root.
RewriteRule /APPCONTEXTROOT/* [R=301,L]
Remember your java app is supposed to be portable across environments and it may need to run in an installation with no SSL configured so don't code anything that is SSL dependent.
Gergely Dombi

Joined: Jan 12, 2003
Posts: 11
we are building a similar application
(in the sense that we want to put the login page
under ssl but not the whole app)
can u pls tell some resources where
i can read more on the ssl configuration of
the ibm http server
thx a lot
I agree. Here's the link:
subject: Securing only login page
It's not a secret anymore!