tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Randall <>
Subject RE: j_security_check with https
Date Wed, 07 Jan 2009 03:13:27 GMT


First, to clear an incorrect point made...

There is a point of switching back to HTTP after HTTPS.  From a server load perspective having
to perform SSL computations for every single HTTP request can be a serious performance bottleneck.
 As for the security aspect, transmission of the username/password should be done over HTTPS,
as this is considered "private/confidential" data and can be used to establish future authenticated
sessions, however unless you are in a location where eavesdropping attacks are a risk, there
is no need for encryption as the session ID is either a hashed string in a cookie, or the
servlet is making use of URL re-writing, both of which are only "temporary passes" until the
HttpSession has been invalidated.

Second, to answer the question regarding actions redirect to HTTP...

The reason the redirects are not going to HTTPS is because of the RequestDispatcher.  When
Tomcat sees that you are trying to access a resource for which login is required, it FOWARDs
the request to the login form.  The security constraints defined in web.xml are for when requests
are made directly for those resources.  What this means is that your configuration to make
sure that the login pages use SSL only come into affect when the browser requests them directly.
 Requests that have been FORWARDed by the RequestDispatcher totally bypass the SSL constraints.

What is the solution?

Create a Filter subclass with the sole purpose of having its "doFilter" method call "sendRedirect"
on the HttpServletResponse object.  Map this Filter to the same URL pattern you use for SSL
and make sure to use the <dispatcher> tags for FORWARD, INCLUDE, ERROR, and whatever
other RequestDispatcher operations you want to ensure use SSL.

Hope this helps.


> Date: Tue, 6 Jan 2009 19:01:24 -0200
> From:
> To:
> Subject: Re: j_security_check with https
> this didnt work
>         <security-constraint>
> 		<web-resource-collection>
> 			<web-resource-name>Usuario</web-resource-name>	
> 			<url-pattern>/login/*</url-pattern>
> 			<http-method>POST</http-method>
> 			<http-method>GET</http-method>			
> 		</web-resource-collection>
> 			<user-data-constraint>
> 				<transport-guarantee>CONFIDENTIAL</transport-guarantee>
> 			</user-data-constraint>
> 	</security-constraint>
> if i try <myAPP>/login/login.jsp  work, but when i try an action and
> has restrict access, and havent user logged, tomcat redirect to login
> page with http !!!
> 2009/1/6 Caldarale, Charles R <>:
> >> From: Diego Armando Gusava []
> >> Subject: Re: j_security_check with https
> >>
> >> when u login, your username and password will be transport https, but
> >> after that, you are in http! u dont need https because, you are only
> >> reading messages(emails)
> >
> > And what does that have to do with the behavior of a servlet container?
> >
> >  - Chuck
> >
> >
and is thus for use only by the intended recipient. If you received this in error, please
contact the sender and delete the e-mail and its attachments from all computers.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > For additional commands, e-mail:
> >
> >
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Keep in touch and up to date with friends and family. Make the connection now.
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message