tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shantanu Upadhyaya <shantan...@gmail.com>
Subject How do I remove 'S' from HTTPS - JAAS configured on tomcat, JSF webapp
Date Wed, 02 Sep 2009 01:51:30 GMT

How do I remove HTTPS after login in ? I have read other posts. I still need
this thread as it has to do with JAAS on tomcat. Please read on. For the
hasty, jump to 9 onwards.

My UI stack is as follows :
* JSF 1.2, Facelets, Richfaces 3.2.1
* JAAS
* Tomcat 6

0. Relevant web.xml entries
	<security-constraint>
		<display-name>User Login Page</display-name>
		<web-resource-collection>
			<web-resource-name>Login Resource</web-resource-name>
			<url-pattern>/pages/secure/*</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
    		</web-resource-collection>
		<auth-constraint>
			<role-name>User</role-name>
		</auth-constraint>
		<user-data-constraint>
			<transport-guarantee>CONFIDENTIAL</transport-guarantee>
		</user-data-constraint>
	</security-constraint>
	...
	...
	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>projx</realm-name>
		<form-login-config>
			<form-login-page>/pages/login/login.jsf</form-login-page>
			<form-error-page>/pages/login/loginerror.jsf</form-error-page>
		</form-login-config>
	</login-config>

0.1 Login page :

		<rich:panel id="loginPanel">
		<f:facet name="header">Login Panel</f:facet>
		<f:verbatim>
			<form method="post" action="j_security_check ">
				<table><tr>
						<td>User Id</td>
						<td><input type="text" name="j_username" /></td>
					</tr>
					<tr>
						<td>Password</td>
						<td><input type="password" name="j_password" /></td>						
					</tr>
					<tr>
						<td align="center">
							<input type="submit" value="Login"  />
						</td>
				</tr></table>					
			</form>
		</f:verbatim>
		</rich:panel>

1. SSL Enabled Login page
2. Rest are non SSL-pages
3. JAAS Configured with some page requiring login (therefore fwd to SSL)
4. Homepage has 'Login' hyperlink -- which points to
-->/pages/secure/Userhomepage.jsf

Simple Login Usercase
------------------------
5. User clicks on 'Login' hyperlink

6. Tomcat CMA intercepts and takes user to /pages/login/login.jsf 
   but URL shows
   https://localhost:8443/abc/pages/secure/Userhomepage.jsf

7. User keys in credentials and login is successful

8. Userhomepage.jsf http response is generated and shown on browser BUT URL
is still
   https://localhost:8443/abc/pages/secure/Userhomepage.jsf


Problem
---------

9. HTTPS should not be show from 8 onwards. How do I remove it ?

Questions
------------

10. I know that HTTPS has to be programattically removed. But between
    7 and 8, How do I do it ? 
    a) Where do I put a URL rewrite filter code ? It won't even be invoked..
   
    b) How can I do it programmatically when the redirection is being 
       done by Tomcat ?


On a side note (question on JAAS configured on Tomcat )
-------------------------------------------------------

11. Why do I have to declare '/pages/secure/*' with 
		<auth-constraint>
			<role-name>User</role-name>
		</auth-constraint>
    ? 
12. Why isn't there a way to just forward to login.jsf which forwards to
j_security_check ?
        

13. Is there a way to make Tomcat container aware of a JAASubject
    What I would really like is a Richfaces modal panel for a login ?
       
Such a simple use case has become really complicated. Instead of
flexibility,
across presentation layers, it's ties you down to a one mechanism.
Very frustrating.

Thank you ! 
-- 
View this message in context: http://www.nabble.com/How-do-I-remove-%27S%27-from-HTTPS---JAAS-configured-on-tomcat%2C-JSF-webapp-tp25250419p25250419.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message