tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: j_secuity check and https
Date Mon, 01 Dec 2008 18:42:03 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Snaglefrac,

Snaglefrac wrote:
> Now, when someone logs in they are using an unsecured login screen and there
> passwords are sent unencrypted. The solution! HTTPS, no sweat, i have this
> working to. The only problem I have is having the https and LDAP security in
> one application. Additionally i do not want to have every page locked by
> https, only the login screen that get called by the security constraint.

Okay, so you want to use regular HTTP for everything except the login
page. You just have to make sure that the user has a session before they
try to login.

> so when a user hits /gigatronic/index.jsp they are asked top login because
> of the LDAP real copnfig. The pages used for the login I need in HTTPS.
> After a secure login it returns back to a regular http for the 
> /gigatronic/index.jsp application.

Actually, you just need to submit to j_security_check using HTTPS.
Everything else can be regular HTTP.

> SO how can I use HTTPS for only the j_secutity login portion I specified in
> web.xml and enforce LDAP real  for the rest of my app without have the whole
> app HTTPS.
> 
> I tried specifying the HTTPS for my login but the app would not start.
> ex:
> 	<form-login-config>
> 	   <form-login-page>https://www.blah.com/secure/login.jsp</form-login-page>
> 	   <form-error-page>https://www.blah.com/secure/loginerr.jsp</form-error-page>
> 	</form-login-config>
> This did not work.

Right. Tomcat doesn't do a redirect (or does for some versions and not
others... I can't keep it straight). What you need to do is this, in
your login.jsp page:

<form action="<%= response.encodeURL(request.getRequestURL().replace(0,
4, "https")).toString()) %>">

This will submit your request to Tomcat using HTTPS. I'm not sure, but I
believe the original request will be to an HTTP URL if the original
request was to a non-secure URL. If not, you can always redirect
subsequent requests using a filter or something like that to go back to
HTTP.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkk0L/sACgkQ9CaO5/Lv0PB3oQCgwlyRwEGRE1EyebCyHt7blqRm
ynEAoL9zEa5YQWtm3yiqX74SoM/jPF4q
=JvFO
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message