Brendan Healey wrote:You probably know the scenario by now - you're putting an application together (I'm using JSF 2.0
on a glassFish v3 stack) and the very first thing you've got to do is write some login code.
Sometimes the only way things ever got fixed is because people became uncomfortable.
I really don't want to take the performance hit of using SSL except on a couple of pages. The content
is just not that sensitive.
Thanks, leo
Sometimes the only way things ever got fixed is because people became uncomfortable.
Tim Holloway wrote:
Brendan Healey wrote:You probably know the scenario by now - you're putting an application together (I'm using JSF 2.0
on a glassFish v3 stack) and the very first thing you've got to do is write some login code.
No it's not. In most cases, I don't write ANY login code, because J2EE comes with a perfectly good authentication and authorization system of its own, pre-debugged, vetted by security professionals, and ready to use. And, since it's an integral part of J2EE, it automatically handles switching to secure channels at need.
Richard Grin wrote:
So how could you have SSL only for authentication and not for the rest of the application?
Sometimes the only way things ever got fixed is because people became uncomfortable.
Tim Holloway wrote:
Welcome to the JavaRanch, Richard! But we'd prefer that you just start a new thread rather than revive one that's this old. Keeps things tidier that way, since most of the original participants have probably moved on.
Tim Holloway wrote:
In J(2)EE, you choose what URLs are handled via TLS/SSL by specifying URL patterns in web.xml and mapping transport to them.
However, once you've logged in, it's really NOT a good idea to switch back to plaintext transport. Your session identifier is constantly being passed back and forth and any secure objects within the session are therefore potentially at risk. That's one of the reasons that the traditional logout method is session.invalidate(). It guarantees that any secure objects will have been discarded from the conversation.
Sometimes the only way things ever got fixed is because people became uncomfortable.
Tim Holloway wrote:Writing your own login only makes it worse. The technical term for user-designed security system is "pwned".
The problem isn't J2EE preventing you from using insecure transport after login - it will allow that. The problem is that you'd have to be crazy to want to do so.
Sometimes the only way things ever got fixed is because people became uncomfortable.
A berm makes a great wind break. And we all like to break wind once in a while. Like this tiny ad:
Free, earth friendly heat - from the CodeRanch trailboss
https://www.kickstarter.com/projects/paulwheaton/free-heat
|