Dear Chris, Thank you very much. I can get the link redirect. But the tomcat's container security seems to happen before it. Here is the stuff in the web.xml. When I type http://localhost:8080/InformProject/pages/login.jsp, it will redirect to https://localhost:8443/..... The browser will alert me because it is self-certified. But when I go other pages, which should bring this login page up, it just bring up the http plain version and bypass this redirection.
<web-resource-collection> <web-resource-name>login page</web-resource-name> <url-pattern>/pages/login.jsp</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/pages/login.jsp</form-login-page> <form-error-page>/pages/error.jsp</form-error-page> </form-login-config> </login-config> Sincerely yours Zhu, Guojun On Wed, May 6, 2009 at 8:54 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Guojun, > > On 5/6/2009 3:05 PM, Guojun Zhu wrote: >> We had a small web application on tomcat 5.5. We use tomcat realm >> (MD5 digest) with the form-based login. I have a few questions on >> this. >> >> 1. When we use http, does the form-based login page send the username >> and password plainly or in the digested form? > > Your web browser will send the credentials in cleartext. The only > "digest" being used here is the one used to hash the password before it > is checked against your database (all on the server side). > > If you want the password sent securely, you'll need to either use HTTPS > or use DIGEST authentication, which uses HTTP Auth instead of forms. I > prefer HTTPS + form over DIGEST, FWIW. > >> 2. We set up the ssl in 8443 port. All links in our application are >> relative link without the specified scheme. So currently all the >> links (including login page) go either through normal http or >> encrypted https. Is there anyway to limit the ssl only for the login >> page alone and make sure login page always go through ssl? Rest pages >> are really fairly low-risk stuff and we do not worry about the leak on >> them. > > Are you comfortable with the possibility of session hijacking? If so, > there is a way to do this that I outlined a few weeks ago. Hmm... I > can't seem to find it in the archives; I'll give you the short-short > version. Try something like this: > > web.xml: > <form-login-page>/login.jsp</form-login-page> > ... > <security-constraint> > <web-resource-collection> > <url-pattern>/login.jsp</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > <security-constraint> > > login.jsp: > <% > Cookie mySessionCookie = ...; > if(mySessionCookie.isSecure()) > { > // We don't want a secure session cookie. Kill it, > // redirect to non-secure page and bounce back. > > session.invalidate(); > > response.sendRedirect(response.encodeRedirectURL(BOUNCE_PAGE)); > } > %> > > Your bounce page should simply create a session and redirect to > https://yourhost/login.jsp. > > You should probably create a filter that watches every URL except your > login page and drives everything back to HTTP if it finds HTTPS in use. > > This may interfere with the container's ability to store and re-play > requests for protected resources /after/ a successful login. YMMV. If > you can't get it working using this suggestion, feel free to hire me to > do it for you ;) > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkoCPzoACgkQ9CaO5/Lv0PAPnwCcC9jIfZ9oc60imAgaw01sfcjJ > MlEAoIsyPZ9f6dXGo5IInzLXOMxh7vs0 > =9YPw > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org