Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Using https: for security

 
Bill Dornbush
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am developing an application where I want the users to have some protection from the Internet and snooping. I want to force all users to use https:// rather than just http:// so that encryption is used. When a user logs in, I would like to redirect them to an https:// session if needed. JSF seems to take a relative .jsp for the <to-view-id> value. I thought about just setting up a .jsp that would issue a jsp-forward, or an http refresh, but that would require me to hard code the full server url, whereas I would like the page to be relative to my server and only need to change the protocol, so that I can move the .ear file to my test server and production server without having to modify the code. How would I implement a redirection to https:// when the user logs in successfully?
 
Gerardo Tasistro
Ranch Hand
Posts: 362
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The following code



Works well for setting the base path relative to the server and application path. So you could just substitute request.getScheme() with https in some sort of redirect code, probably a forward on detecting http request.

There are also security constraints you can setup on the web.xml file to ensure http allways and have the container check for it rather than each individual jsf.

For example http://ebxmlrr.sourceforge.net/3.0/UsingHTTPS.html

along the lines of "Requiring Access to the Server to be Secure".
[ April 22, 2006: Message edited by: Gerardo Tasistro ]
 
Bill Dornbush
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a working way to transfer someone to https:

In my program login.jsp, I added a hyperlink "Go to Secure Login". This link is rendered only if the protocol is not secure. I detect this through a method in the backing bean:

public boolean getSecure() {
HttpServletRequest request = (HttpServletRequest)facesContext.getExternalContext().getRequest();
return request.isSecure();
}

The URL of the link is determined in another method in the backing bean:

public String getHttps() {
String httpsPort = Props.getProps().getStringProperty("httpsPort");
HttpServletRequest request = (HttpServletRequest)facesContext.getExternalContext().getRequest();
String newpath = "https://"
+ request.getServerName()
+ httpsPort
+ request.getContextPath()
+ "/index.jsp";
return newpath;
}

The method Props.getProps().getStringProperty("httpsPort") gets the port number with a leading : from my properties file. This allows me to migrate the application to a server where https: is configured to a different port.

index.jsp is the page (not jsf) that is coded in web.xml as the welcome page. It contains: <jsp:forward page="faces/login.jsp"></jsp:forward>

I don't understand why, but if I link to the login.jsp page with the https: protocol, I get an error message "Cannot find FacesContext."
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic