> Hello again! > > After trying out the suggestion to use <security-constraint> in web.xml > (thanks Giampaolo!) I've figured out that it doesn't exactly solve my > problem. The problem is that I need to redirect to HTTPS for login and > some other subset of pages, and then after login, redirect back to HTTP. > By using <security-constrant> I am able to redirect to HTTPS, but there > doesn't seem to be a way to revert back to HTTP after the initial > excursion.
No, infact. The Servlet specs don't dictate a way to revert back to http. Also, in most cases such a mechanism is useless and even an hazard. Let say you make an https login, get your session cookie and revert back to http. In a men-in-the-middle case, a third person may see your cookie and impersonate the already logged-in user. > I'm really getting pissed about this (and feeling more and more stupid > after each new failed attempt). Especially since the constraint to mix > HTTP and HTTPS pages has been forced upon me with the explanation that > everybody does it due to bad performance of HTTPS, which I'd give my > right arm if we would ever see in this particular application. :-( Switching back to http was an old habit: five years ago, when internet bandwidth were really narrow and cpu power wasn't that high, it could have made a difference. Today these are not anymore issues. I would try to stress this fact and the security issues the http/https mixup may arise. > Any other suggestions? Does anybody use a tapestry-based application in > which some pages are behind HTTPS while others are HTTP? You may develop a filter to be put on top of the tapestry servlet, issuing a redirect response to an http connection when https is not anymore needed. You just have to check for the transport guarantee level of the request and for the target of the request itself. If the guarantee level is not required, issue a redirect to the client instead of forwarding the request to the tapestry servelet. I wouldn't do the trick in higher layers, like the in tapestry app... Regards, ----------------------------------- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
