• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How do I secure only my login page? Please help!

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you in advance for your help as I have been looking for an answer to this problem for more than a week now. I have seen this question all over the net, but never an answer.

What I want to know is, is there a standard way (vender neutral) to use the container authentication to redirect the user to a secure login page (via SSL) and then once the user authenticates return to a not-SSL application? Basically, how do you make only the login page use SSL and all of the rest of my app use standard http?

I am using FORM authentication method….
<login-config>
<auth-method>FORM</auth-method>
<realm-name>UserDatabase</realm-name>
<form-login-config>
<form-login-page>/simpleFormLogin.jsp</form-login-page>
<form-error-page>/simpleFormLoginFailed.jsp</form-error-page>
</form-login-config>
</login-config>

What I would like to see happen is when I go to simpleFormLogin.jsp I use SSL (https//…) on the page and on the post to the j_security_check URL so that the password is encrypted. Then when it redirects back to the page the user originally requested, which could be any page in the app, it goes back to a non-SSL request (i.e.. http://...).

Maybe I am missing something easy, or maybe it can’t be done in a “standard way”? I also realize the security implications, but these are the requirements given to me, and I have to live with them.

I have even tried to rewrite the j_security_check URL in the form when the simpleFormLogin.jsp is built to go to https//…./j_security_check. Using Tomcat, that sent the form via SSL, but then when the original user requested page comes up it is still using SSL, Doh!!!

I really don’t want to put a bunch of onLoad javascript to check for a secure connection (request.isSecrureConnection) and redirecting to the non-SSL version of the page. I’m thinking that dealing with all of the request params etc. is more than you should be wrangling in javascript, as well as the possibility of a double commit of data changes (in the case where you submit a change and time out, login, put up the secure page (commit #1), and redirect to the non-secure page (commit #2)).

Anyway, your help would be greatly appreciated by me and others who are trying to solve this problem.

Thank you in advance,

Jeff

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have been looking for this information as well. I am now able to allow/block extensions through <security-constraint> but am not able to pick and chose secure/non-secure pages. I found a lot of pages that confirms you can do it but none that has any specific examples. I have been reading about rewrite rules but have not been able to located anything related to our topic.

Please let me know if you have found something.

Thanks!

"For a reasonably busy site, it is customary to only run certain pages under SSL, namely those pages where sensitive information could possibly be exchanged. This would include things like login pages, personal information pages, and shopping cart checkouts, where credit card information could possibly be transmitted. Any page within an application can be requested over a secure socket by simply prefixing the address with https: instead of http:. Any pages which absolutely require a secure connection should check the protocol type associated with the page request and take the appropriate action if https is not specified."
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
 
Jeff Osborn
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Sorry I did not re-post, but I got yanked onto something else before I worked all of the bugs out of my solution. However, I can give you a pointer to the solution and if you get there before I get back to it, then please do post the full solution for everyone.

This thread...
http://tomcat.markmail.org/message/vbp4uo7czjyzuehn?q=SSL+just+on+login+page#query:SSL%20just%20on%20login%20page+page:1+mid:erkojom75k4baqmi+state:results

shows the web.xml for setting this up (a secure area, a non-secure area). The trick is this redirector filter. You see there are two things going on here. First is the password redirect by the container, the second is the security constraint on the secure area. What the redirect does is that it sends it through the xml logic to say “oh yes, I need to switch to https because this is going to a secure area”, and tada it works! If you don’t redirect it just goes to that page via http.

The real trick then, is to revert back to http, and for that I implemented a second filter that rebuilds the URL with http.... and redirect to that, for any page that is not the login page and has a req.getScheme() equal to "https" . I got that working in pre-pre-prototype code, but I thought I got it to work before getting yanked off.
Here is the code for the RevertFromHttpsToHttpFilter to swap back (remember it is very rough, so don't slam me for putting it out here, I am just trying to help)



You will want to add the request parameters and you will have to initialize the RevertFromHttpsToHttpFilter with the httpPortNumber. Here is what I have in my web.xml



You should have enough info, between that and the link I gave you.

Good luck, and let us know how it goes,

Jeff
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic