Thank you in advance for your help as I have been looking for an answer to this problem for more than a week now. I have seen this question all over the net, but never an answer.
What I want to know is, is there a standard way (vender neutral) to use the container authentication to redirect the user to a secure login page (via SSL) and then once the user authenticates return to a not-SSL application? Basically, how do you make only the login page use SSL and all of the rest of my app use standard http?
I am using FORM authentication method….
<login-config>
<auth-method>FORM</auth-method>
<realm-name>UserDatabase</realm-name>
<form-login-config>
<form-login-page>/simpleFormLogin.jsp</form-login-page>
<form-error-page>/simpleFormLoginFailed.jsp</form-error-page>
</form-login-config>
</login-config>
What I would like to see happen is when I go to simpleFormLogin.jsp I use SSL (https//…) on the page and on the post to the j_security_check URL so that the password is encrypted. Then when it redirects back to the page the user originally requested, which could be any page in the app, it goes back to a non-SSL request (i.e..
http://...).
Maybe I am missing something easy, or maybe it can’t be done in a “standard way”? I also realize the security implications, but these are the requirements given to me, and I have to live with them.
I have even tried to rewrite the j_security_check URL in the form when the simpleFormLogin.jsp is built to go to https//…./j_security_check. Using
Tomcat, that sent the form via SSL, but then when the original user requested page comes up it is still using SSL, Doh!!!
I really don’t want to put a bunch of onLoad javascript to check for a secure connection (request.isSecrureConnection) and redirecting to the non-SSL version of the page. I’m thinking that dealing with all of the request params etc. is more than
you should be wrangling in javascript, as well as the possibility of a double commit of data changes (in the case where you submit a change and time out, login, put up the secure page (commit #1), and redirect to the non-secure page (commit #2)).
Anyway, your help would be greatly appreciated by me and others who are trying to solve this problem.
Thank you in advance,
Jeff