Dear Chris, I am sorry, but I am not sure that I understand what you mean. All your solutions is to modify the login.jsp. But we have already reach there by http unsecurely whenever I try to access any restricted pages. I have set things like this with the form authentication as last post. Am I doing the right thing? Or should I change it to CONFIDENTIAL?
<security-constraint> <display-name>normal</display-name> <web-resource-collection> <web-resource-name>INFORM project</web-resource-name> <description/> <url-pattern>*.do</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>HEAD</http-method> <http-method>PUT</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <description>user for all pages except the admin and home</description> <role-name>inform</role-name> </auth-constraint> </security-constraint> What do you mean "You want to ensure a session is created in non-secure more BEFORE the user submits their credentials."? Furthermore, in your solution, what cookie should I get? Is there any special one? I am sorry for the naiveness from me. I am also very much willing to learn a bit more about all these stuff. If there is too much to explain, could you please point me to some place to start to read and understand my problem? Thank you and have a great weekend! Sincerely Zhu, Guojun On Fri, May 8, 2009 at 9:48 AM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Guojun, > > On 5/8/2009 12:22 AM, Guojun Zhu wrote: >> Thank you very much. I can get the link redirect. But the tomcat's >> container security seems to happen before it. > > The container's security mechanism will always execute before your code. > Keep that in mind when designing solutions. > >> Here is the stuff in >> the web.xml. When I type >> http://localhost:8080/InformProject/pages/login.jsp, it will redirect >> to https://localhost:8443/..... The browser will alert me because it >> is self-certified. But when I go other pages, which should bring this >> login page up, it just bring up the http plain version and bypass this >> redirection. >> >> <web-resource-collection> >> <web-resource-name>login page</web-resource-name> >> <url-pattern>/pages/login.jsp</url-pattern> >> </web-resource-collection> >> <user-data-constraint> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >> </user-data-constraint> >> </security-constraint> > > You don't want your login.jsp page to be set to CONFIDENTIAL. You want > to ensure a session is created in non-secure more BEFORE the user > submits their credentials. There are a couple of ways to do this: > > 1. Have login.jsp redirect to a bounce page in HTTP mode if the session > cookie is secure (something like: > > if(sessionIdCookie.isSecure()) { > session.invalidate(); > response.sendRedirect(BOUNCE); // use HTTP, not HTTPS > return; > } > > Then your bounce page does this: > request.getSession(true); > response.sendRedirect("/login.jsp"); > > 2. You could also try, in your login.jsp: > > if(sessionIdCookie.isSecure()) { > sessionIdCookie.setSecure(false); > response.addCookie(sessionIdCookie); > } > > I only just found the Cookie.setSecure method... I'm not sure how > browsers deal with a cookie changing secure-ness: you'll have to check. > > 3. Have login.jsp check for a (currently) secure request and redirect > to itself in non-secure mode (after adjusting/deleting the cookie). > Once in non-secure mode, create a new cookie/session and make sure > your login form submits to an HTTPS URL. > > I would start with #2 and see if that works. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkoERlAACgkQ9CaO5/Lv0PD6lQCePk/76Ob8J/as0mFPbR0DvGtX > AmwAnjCb3FIEDe44CAm2D5bXCiufa3Dn > =beOd > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org