• Post Reply Bookmark Topic Watch Topic
  • New Topic

Https vrs http web.xml jsf

 
Dave Alexander
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Id'like to navigate from one https page (<transport-guarantee>CONFIDENTIAL</transport-guarantee>) to another page without htpps (<transport-guarantee>NONE</transport-guarantee>) but it doesn't work. Help please.

Here is the web.xml


<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>pagewithhttps</web-resource-name>
<description/>
<url-pattern>/protegida/*</url-pattern>
<url-pattern>/faces/protegida/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>Constraint2</display-name>
<web-resource-collection>
<web-resource-name>withoutHttps</web-resource-name>
<description/>
<url-pattern>/publica/*</url-pattern>
<url-pattern>/faces/publica/*</url-pattern>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<description>nada de https</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
 
Tim Holloway
Bartender
Posts: 18408
58
Android Eclipse IDE Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Dave!

It's not a good idea to flip back and forth between http and https. When you go from http to https, your session ID changes for security reasons (although the session itself remains the same).

Also, while an https webpage can contain non-https URLs, some browsers can get extremely annoyed about it.

It's OK to fetch a non-secured webpage under either http or https protocols. It's only the secured pages that are restricted.
 
Dave Alexander
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks a lot Tim!!!

You're right!!!

Even I've read it in Oracle's web site.

Good Security Practice: If you are using sessions, after you switch to SSL you should never accept any further requests for that session that are non-SSL. For example, a shopping site might not use SSL until the checkout page, and then it may switch to using SSL in order to accept your card number. After switching to SSL, you should stop listening to non-SSL requests for this session. The reason for this practice is that the session ID itself was not encrypted on the earlier communications. This is not so bad when you're only doing your shopping, but after the credit card information is stored in the session, you don't want a bad guy trying to fake the purchase transaction against your credit card. This practice could be easily implemented using a filter.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!