• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to use https for login only?

 
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

I am trying to use https for sending login information from client to server; but after the client is authenticated he should be redirected to his home page using http.
Using https for rest of the pages is unnecessary.

I am not sure if it is possible to do this, Also I am not sure how the session information communicated to the client using https can be utilized for http requests, the cookie would be encrypted, right?

Any links to resources related to this issue would be help-full.
 
best scout
Posts: 1294
Scala IntelliJ IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Gaurav,

you have do define a <security-constraint> element in your web.xml descriptor with a nested <user-data-constraint> to define <transport-
guarantee> "CONFIDENTIAL", which means secure/HTTPS. The <security-constraint> accepts the well-known URL patterns in the descriptor which should be defined accordingly to your login page.

But be careful, if you use HTTP basic authentication the password is re-transmitted for any page which requires authentication. If you use this form of authentication, the user password would only be secured during login!

Marco
 
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Marco Ehrentreich wrote:Hi
It will be good if you provide one example on that


 
Marco Ehrentreich
best scout
Posts: 1294
Scala IntelliJ IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Did you mean an example how to configure the web.xml descriptor? I think here's an understandable example which configures the security features for every URL machting the "/private/*" pattern. Only users with the role "cms_editors" are allowed for this URL pattern and the <transport-guarantee> "CONFIDENTIAL" means that the user data should be secured which is typically done via SSL/TLS encryption on top of HTTP, i.e. by using the HTTPS protocol.

I think you'll find lots of other examples using Google ;-)

Marco
 
Ranch Hand
Posts: 494
Eclipse IDE Postgres Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all..

This post is interesting to me...

how to enabling SSL in Tomcat v6?..
Sorry for basic question...

Thanks in advance..
 
Marco Ehrentreich
best scout
Posts: 1294
Scala IntelliJ IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Leonardo,

although it's a little bit off-topic the basic steps are:

1) decide which SSL engine to use (Tomcat's own or OpenSSL based)
2) create a Java keystore or X.509 depending on the SSL engine you want to use
3) configure Tomcat to use SSL and the said keystore/certifiacte

I'd start with Tomcat's own SSL implementation. In the "bin/" directory of your JDK is a binary called "keytool" which you can use to create a keystore. Then in the usual Tomcat server.xml config There's already a basic starting configuration for SSL which is only commented out.

If you use Google a little bit, I'm sure you can figure the rest out yourself. If you're still having problems, feel free to ask! Besides I'm very, very sure this questions has already been asked in the Tomcat forum ;-)


Marco
 
Leonardo Carreira
Ranch Hand
Posts: 494
Eclipse IDE Postgres Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How about Tomcat's own SSL?..
what is the weaknesses of Tomcat's own SSL usage?..

Thanks in advance..
 
Marco Ehrentreich
best scout
Posts: 1294
Scala IntelliJ IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sorry, I don't know much details, but OpenSSL is a native library available for many operating systems and I think this could be a small improvement in performance. I guess security is not an issue as long as there's no bug in the implementation (which could be in Tomcat and OpenSSL as well).

If the main reason is performance I think you should forget about the difference and use Tomcat's own SSL support as it works out of the box. With any normal web application with a database backend and no requirements for real high speed or many, many users you probably won't notice any difference as the database and network latency will make requests much slower than the performance gain of a few milliseconds you'd get by using OpenSSL.

Perhaps anyone else know more details about the difference...

Marco
 
Gaurav Purandare
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Marco,

Marco Ehrentreich wrote:
you have do define a <security-constraint> element in your web.xml descriptor with a nested <user-data-constraint> to define <transport-
guarantee> "CONFIDENTIAL", which means secure/HTTPS. The <security-constraint> accepts the well-known URL patterns in the descriptor which should be defined accordingly to your login page.



As you said, we have to change the web.xml to employ security ("CONFIDENTIAL") for all the resources following certain url pattern. For doing this we need
to add certificate or keystore.

So when the user accesses say "login.htm" page, the communication is carried over http i.e it does not require any authentication for acccesing this page, but when the user clicks on "login" he goes to "authentication page" which carries out the authetication using https and if the user is authentic he sets session cookie and redirects the page to say "home.htm" else an "error page" is displayed. Henceforth the communicationn takes place using http.
In this scenario only the "authetication page" needs to be secure.

I am not sure if i am right, would you please clarify it a bit furthur.

Thank you.
 
Marco Ehrentreich
best scout
Posts: 1294
Scala IntelliJ IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK, first it should be clear that authentication and is not the same as securing the data transport!

Authentication is the process of determining the user's identity. This should be done by the container (Tomcat) and is configured with the <auth-constraint> element sitting on the same level as the <user-data-constraint> element which will be used for securing the data. You can chose between different authentication mechanisms (HTTP basic or digest authentication, form login) which is in your case most probably a form login on the login page. Tomcat automatically redirects to this page if the user tries to access another page which requires an authenticated user. The pages which need authentication are defined via an URL pattern(s) inside a <web-resource-collection> element. Note: all the side elements are inside a <security-constraint> element.

Securing data transport with SSL is another thing. This is needed to protect the data transferred between the browser and web server. It works similar to authentication in regard to the definition of one or more URL patterns which should be protected. With a normal web application you usually define a <user-data-constraint> element which configures what kind of of security is needed. Usually you will define <transport-guarantee>CONFIDENTIAL</transport-guarantee> where "confidential" means SSL encryption for virtually all web applications (although other settings would be possible).

So you have to configure the authentication part to trigger authentication for any page (or all pages) which should only be accessed by a user who has logged in correctly.

Additionally you declare confidential data transport for the same or other pages or only the login page which instructs Tomcat to redirect the browser to a HTTPS URL schema when such a page is accessed.

Have a look at Sun's documentation for a more detailed explanation of all the configuration elements ;-) It's hard to explain this here in text mode how all the elements fit together and are nested inside each other.

As warning I already told you that it's NOT sufficient to use SSL only for the login page IF you use HTTP basic authentication (this is the well-known popup where the browser asks you for a username or password). This would be insecure because the password, which is almost in cleartext, is not only transmitted to the login page but to all subsequent pages which require authentication. You DON'T have to worry about this if you have an extra login page with some form to type in the username and password.

I hope this helps, but as an advice read the documentation to fully understand what you're doing here!

Marco
 
Gaurav Purandare
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you for clearing that up, I will read through the documentation as advised and will get back to you if needed.
 
Marco Ehrentreich
best scout
Posts: 1294
Scala IntelliJ IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You're welcome!

And of course feel free to ask if there are questions! The topic is just a little bit too big to explain it here in detail without creating a complete sample application. But that is surely nothing which would help you to learn how it works. And I thinks the deployment descriptor is an important thing everyone should know who's working on Java based web applications ;-) Give it a try, it's not too hard!

Marco
 
Mukesh Ranjan
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Mukesh Ranjan wrote:
Here we need to create one ssl certificate and application server will be required to configure for ssl/https communication.
After that the web.xml will required a mapping for <security-constraint ....... where we will put the url and transport guarantee will set to 'confidential'..
Lets try one for sample..
Hopefully it should work..

>
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic