Home > Archive > Java Security > December 2004 > How to use HTTPS in login page, and HTTP in following pages.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to use HTTPS in login page, and HTTP in following pages.
|
|
| Anthony Pong 2004-11-30, 9:05 am |
| Dar All,
I tried to set up a Form-Based login process with JDBC Realm. It is
not secure enough. It is better to use a secure transport such as
HTTPS (https://hostname:8443/application/p...Login/login.jsp) .
Once login, I want to use HTTP to save some overhead. I have tried to
put a switching link with absolute URL
(http://hostname:8080/application/unprotected/other.jsp). It won't
work. The session changes as the protocol changes.
How could it be done. Any article on the web showing this? Pleas help.
Regards,
Anthony
| |
| Øyvind Matheson Wergeland 2004-11-30, 9:05 am |
| Anthony Pong wrote:
> Once login, I want to use HTTP to save some overhead. I have tried to
> put a switching link with absolute URL
> (http://hostname:8080/application/unprotected/other.jsp). It won't
> work. The session changes as the protocol changes.
>
> How could it be done. Any article on the web showing this? Pleas help.
> Regards,
Can the SSO functionality of Tomcat be of use?
http://jakarta.apache.org/tomcat/to...gle%20Sign%20On
--
Øyvind Matheson Wergeland Just Another Virtual Application
Senior System Developer
Manamind AS Creating the Corporate Information Feed [tm]
| |
| Anthony Pong 2004-11-30, 4:03 pm |
| SSO is new to me and need some time to read through the pages. Thanks Wergeland.
Anthony
| |
| Oscar kind 2004-11-30, 8:59 pm |
| Anthony Pong <ponganthony@yahoo.com> wrote:
> I tried to set up a Form-Based login process with JDBC Realm. It is
> not secure enough. It is better to use a secure transport such as
> HTTPS (https://hostname:8443/application/p...Login/login.jsp) .
>
> Once login, I want to use HTTP to save some overhead. I have tried to
> put a switching link with absolute URL
> (http://hostname:8080/application/unprotected/other.jsp). It won't
> work. The session changes as the protocol changes.
>
> How could it be done. Any article on the web showing this? Pleas help.
> Regards,
The resource constraints in web.xml that define the roles required to
access a certain resource collection (read: URL's) can also prescribe
transport constraints. These tell the application server that that data
must be protected from tampering or also from prying eyes. In practice,
both mean that the application server will use HTTPS instead of HTTP.
Is this sufficient?
--
Oscar Kind http://home.hccnet.nl/okind/
Software Developer for contact information, see website
PGP Key fingerprint: 91F3 6C72 F465 5E98 C246 61D9 2C32 8E24 097B B4E2
| |
| Anthony Pong 2004-12-01, 3:57 am |
| I think it is in the right direction. I found something on jguru that
the SSL connector would redirectPort to say 8443:
<security-constraint>
<web-resource-collection>
<web-resource-name>Security page
</web-resource-name>
<url-pattern>/web/login/signup.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Difficult to say if your clue is enough for me or not. I may need
some hours to try out the codes. Thanks Oscar Kind!
Anthony
|
|
|
|
|