• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Force HTTPS, but not quite all URLs..........

 
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We want to set the switch: "Limit to SSL connections only" in WAS V5).
I understand that this switch demands that all URLs must start with "HTTPS:\\xxxxxxx".
a)
==> Is this correct ?
b)
The problem is that we also have a couple of hardcoded URLs in our application to link to some official sites at the police and hospitals.
In other words what we really want is:
Force all URLs to use "HTTPSxxxxxx" except from some hardcoded URLs in the application-code that is allowed to use "HTTPxxxxx".
==> is this possible in any ways ?
c)
If b) above is not possible, is there another way to solve this ?
I would be happy for any respons !
[ September 29, 2003: Message edited by: Eskil Lind ]
[ September 29, 2003: Message edited by: Eskil Lind ]
 
Eskil Lind
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Seems like I can solve this by editing the "Virtual host"-setting in WebSphere Application Server. I tried to set the only valid Virtual host to be "*:443". 443 is the SSL-port.
==> This worked fine. All "HTTP:\\xxx" was rejected.
Another challenge is that my application will call some static HTML-sites on the internet (new pop-up windows) with an ordinary "HTTP:\\xxxx"-kommand.
==> this was still possible
I have now accomplished to only allow HTTPS (SSL) to enter my application, and still my application can reach the outside world with "HTTP".
 
Ranch Hand
Posts: 44
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Try reading this
Session tracking with cookies
Tracking sessions with cookies is the default. No special programming is required to track sessions with cookies.
Session tracking with URL rewriting
An application that uses URL rewriting to track sessions must adhere to certain programming guidelines. The application developer needs to do the following:
Program servlets to encode URLs
Supply a servlet or Java Server Pages (JSP) file as an entry point to the application
Using URL rewriting also requires that you enable URL rewriting in the Session Management facility.
Note: In certain cases, clients cannot accept cookies. Therefore, you cannot use cookies as a session tracking mechanism. Applications can use URL rewriting as a substitute.
Program session servlets to encode URLs
Depending on whether the servlet is returning URLs to the browser or redirecting them, include either encodeURL( ) or encodeRedirectURL( ) in the servlet code. Examples demonstrating what to replace in your current servlet code follow.
Rewrite URLs to return to the browser
Change the servlet to call the encodeURL method before sending the URL to the output stream:

Rewrite URLs to redirect
Suppose you currently have the following statement:
response.sendRedirect ("http://myhost/store/catalog");
Change the servlet to call the encodeRedirectURL method before sending the URL to the output stream:
response.sendRedirect (response.encodeRedirectURL ("http://myhost/store/catalog"));
The encodeURL() and encodeRedirectURL() methods are part of the HttpServletResponse object. These calls check to see if URL rewriting is configured before encoding the URL. If it is not configured, the calls return the original URL.
If both cookies and URL rewriting are enabled and response.encodeURL() or encodeRedirectURL() is called, the URL is encoded, even if the browser making the HTTP request processed the session cookie.
You can also configure session support to enable protocol switch rewriting. When this option is enabled, the product encodes the URL with the session ID for switching between HTTP and HTTPS protocols.
Supply a servlet or JSP file as an entry point
The entry point to an application (such as the initial screen presented) may not require the use of sessions. However, if the application in general requires session support (meaning some part of it, such as a servlet, requires session support), then after a session is created, all URLs are encoded to perpetuate the session ID for the servlet (or other application component) requiring the session support.
The following example shows how you can embed Java code within a JSP file:
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic