-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Guojun,
On 5/8/2009 12:22 AM, Guojun Zhu wrote: > Thank you very much. I can get the link redirect. But the tomcat's > container security seems to happen before it. The container's security mechanism will always execute before your code. Keep that in mind when designing solutions. > Here is the stuff in > the web.xml. When I type > http://localhost:8080/InformProject/pages/login.jsp, it will redirect > to https://localhost:8443/..... The browser will alert me because it > is self-certified. But when I go other pages, which should bring this > login page up, it just bring up the http plain version and bypass this > redirection. > > <web-resource-collection> > <web-resource-name>login page</web-resource-name> > <url-pattern>/pages/login.jsp</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> You don't want your login.jsp page to be set to CONFIDENTIAL. You want to ensure a session is created in non-secure more BEFORE the user submits their credentials. There are a couple of ways to do this: 1. Have login.jsp redirect to a bounce page in HTTP mode if the session cookie is secure (something like: if(sessionIdCookie.isSecure()) { session.invalidate(); response.sendRedirect(BOUNCE); // use HTTP, not HTTPS return; } Then your bounce page does this: request.getSession(true); response.sendRedirect("/login.jsp"); 2. You could also try, in your login.jsp: if(sessionIdCookie.isSecure()) { sessionIdCookie.setSecure(false); response.addCookie(sessionIdCookie); } I only just found the Cookie.setSecure method... I'm not sure how browsers deal with a cookie changing secure-ness: you'll have to check. 3. Have login.jsp check for a (currently) secure request and redirect to itself in non-secure mode (after adjusting/deleting the cookie). Once in non-secure mode, create a new cookie/session and make sure your login form submits to an HTTPS URL. I would start with #2 and see if that works. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoERlAACgkQ9CaO5/Lv0PD6lQCePk/76Ob8J/as0mFPbR0DvGtX AmwAnjCb3FIEDe44CAm2D5bXCiufa3Dn =beOd -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
