This week's book giveaway is in the Design and Architecture forum.
We're giving away four copies of Communication Patterns: A Guide for Developers and Architects and have Jacqui Read on-line!
See this thread for details.

Jeff Osborn

Greenhorn
+ Follow
since Jun 12, 2006
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by Jeff Osborn

Hi,

Sorry I did not re-post, but I got yanked onto something else before I worked all of the bugs out of my solution. However, I can give you a pointer to the solution and if you get there before I get back to it, then please do post the full solution for everyone.

This thread...
http://tomcat.markmail.org/message/vbp4uo7czjyzuehn?q=SSL+just+on+login+page#query:SSL%20just%20on%20login%20page+page:1+mid:erkojom75k4baqmi+state:results

shows the web.xml for setting this up (a secure area, a non-secure area). The trick is this redirector filter. You see there are two things going on here. First is the password redirect by the container, the second is the security constraint on the secure area. What the redirect does is that it sends it through the xml logic to say “oh yes, I need to switch to https because this is going to a secure area”, and tada it works! If you don’t redirect it just goes to that page via http.

The real trick then, is to revert back to http, and for that I implemented a second filter that rebuilds the URL with http.... and redirect to that, for any page that is not the login page and has a req.getScheme() equal to "https" . I got that working in pre-pre-prototype code, but I thought I got it to work before getting yanked off.
Here is the code for the RevertFromHttpsToHttpFilter to swap back (remember it is very rough, so don't slam me for putting it out here, I am just trying to help)



You will want to add the request parameters and you will have to initialize the RevertFromHttpsToHttpFilter with the httpPortNumber. Here is what I have in my web.xml



You should have enough info, between that and the link I gave you.

Good luck, and let us know how it goes,

Jeff
15 years ago
Thank you in advance for your help as I have been looking for an answer to this problem for more than a week now. I have seen this question all over the net, but never an answer.

What I want to know is, is there a standard way (vender neutral) to use the container authentication to redirect the user to a secure login page (via SSL) and then once the user authenticates return to a not-SSL application? Basically, how do you make only the login page use SSL and all of the rest of my app use standard http?

I am using FORM authentication method….
<login-config>
<auth-method>FORM</auth-method>
<realm-name>UserDatabase</realm-name>
<form-login-config>
<form-login-page>/simpleFormLogin.jsp</form-login-page>
<form-error-page>/simpleFormLoginFailed.jsp</form-error-page>
</form-login-config>
</login-config>

What I would like to see happen is when I go to simpleFormLogin.jsp I use SSL (https//…) on the page and on the post to the j_security_check URL so that the password is encrypted. Then when it redirects back to the page the user originally requested, which could be any page in the app, it goes back to a non-SSL request (i.e.. http://...).

Maybe I am missing something easy, or maybe it can’t be done in a “standard way”? I also realize the security implications, but these are the requirements given to me, and I have to live with them.

I have even tried to rewrite the j_security_check URL in the form when the simpleFormLogin.jsp is built to go to https//…./j_security_check. Using Tomcat, that sent the form via SSL, but then when the original user requested page comes up it is still using SSL, Doh!!!

I really don’t want to put a bunch of onLoad javascript to check for a secure connection (request.isSecrureConnection) and redirecting to the non-SSL version of the page. I’m thinking that dealing with all of the request params etc. is more than you should be wrangling in javascript, as well as the possibility of a double commit of data changes (in the case where you submit a change and time out, login, put up the secure page (commit #1), and redirect to the non-secure page (commit #2)).

Anyway, your help would be greatly appreciated by me and others who are trying to solve this problem.

Thank you in advance,

Jeff

15 years ago
Hay guys, has anyone solved this problem???

Thank you in advance for the info,

Jeff
15 years ago
That sounds like fun. Well I have been wading through a bunch of the sun docs today looking for other things and I ran across just the thing you are asking about.

Creating the Web Page That Launches the Application

Below it shows the Netscape. It also has IE VBScript, but it sounds like you have seen that. Unfortunately, there are no silver bullets .

Good Luck

Jeff

Detecting if Java Web Start is installed on Netscape
Here is the first script that should be run on a web page for launching an application via JNLP:


[ June 14, 2006: Message edited by: Jeff Osborn ]
18 years ago
Oh yes, I forgot to add that I�m not a big Web Start guy, so there may be some kind of slick deployment xml way to get Web Start to unpack files out of the jar.

Anyone, anyone....

Baring that, I would go with the above method.

Jeff
18 years ago
My guess is that you would have to extract it out of the jar file and then run cmd.exe on it. You could use the java.util.jar.JarFile to extract the file into a known directory and then build the command line to point to the .bat file in the known directory. It should not be too bad.

Let us know how it goes,

Jeff
18 years ago
Hay gang,

I have been reading the marketing hype about Web Start. I love the ability to configure the exact environment your application is going to run within. For Applets this is currently not the case. You are, for the most part, at the whim of last jre downloaded.

My question is this, can a Web Start application take parameters from a web page, and then the next web page, and then the next page...?

Currently we have the same applet on several pages and its behavior parameterized by what is passed to it from that web page. The web UI is sufficient, so we don�t want to go full blown Swing app, but the Applets are a support nightmare.

My guess, based on what I�ve read, is that you will say no, but I thought I would ask,

Jeff
18 years ago
This can be a nightmare.

These steps take you through all that you will need to do to create a key store, a self signed certificate, export the certificate and then sign the jar

Keystore example:

1)generate key store
C:\j2sdk1.4.1_02\bin>keytool -genkey -alias ozzie -dname "cn=ozzie, ou=engr, o=YourCompanyName, c=US" -keypass ozziepassword -keystore C:\projectname\lib\security\.keystore -storepass ozziepassword

2)generate certificate
C:\j2sdk1.4.1_02\bin>keytool -selfcert -alias ozzie -validity 1000000 -keypass ozziepassword -keystore C:\projectname\lib\security\.keystore -storepass ozziepassword

3)export certificate
C:\j2sdk1.4.1_02\bin>keytool -certreq -alias ozzie -file C:\projectname\lib\security\ozzie.cer -keypass ozziepassword -keystore C:\projectname\lib\security\.keystore -storepass ozziepassword

4)sign the jar
C:\j2sdk1.4.1_02\bin>jarsigner.exe -keystore C:\projectname\lib\security\.keystore -storepass ozziepassword C:\projectname\webApplication\dps.jar ozzie

Note: Assumes java is installed at C:\j2sdk1.4.1_02\ ;-)
Note: The keytool will create the keystore C:\projectname\lib\security\.keystore can be left off to default to the jdk keystore (java.home\lib\security\.keystore), but you really don't not want to mess with the jdk keystore and have to reinstall.
Note: MAKE SURE you write down the passwords used. In this case ozziepassword.

The standard SDK documentation will have both the keytool and the jarsigner in them. They are a little hard to read though.

Another good post is..
How to self sign


You should still get a dialog that will ask you if you trust this applet, because it has not been signed by a known Root Authority, but it is good enough for development. Pick 'yes always' and you will be good to go.

Good Luck,

Jeff
18 years ago