So guy,
I want the user to be redirected to HTTPS once he hits an authenticated
page. So I think it would be natural something like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL login</web-resource-name>
<url-pattern>/login/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
<form-login-config>
<form-login-page>/login/login.jsp</form-login-page>
<form-error-page>/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
The problem is the FormAuthenticator Valve uses a forward, so the URL used
is the one of the target page, not the login page. That means that the
/login/login.jsp URL is never requested and the security constraint is never
applied. The same way an Apache HTTPD proxy can't know whether the request
resulted in a login page or not.
As I see, the way it is, all authenticated pages must be set to CONFIDENTIAL
also (in case the user is not authenticated and ends up in the login page).
But if the user IS authenticated he is forced to use HTTPS too, and that I
was trying to avoid.
Am I missing something?
--
Rafael Liu
+55 61 9608-7722
http://rafaelliu.net
