Return-Path: 
 <users-return-201256-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 95279 invoked from network); 2 Sep 2009 01:52:05 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 2 Sep 2009 01:52:05 -0000
Received: (qmail 18881 invoked by uid 500); 2 Sep 2009 01:52:01 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 18796 invoked by uid 500); 2 Sep 2009 01:52:01 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 18785 invoked by uid 99); 2 Sep 2009 01:52:01 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Sep 2009 01:52:01 +0000
X-ASF-Spam-Status: No, hits=1.5 required=10.0
	tests=SPF_HELO_PASS,SPF_PASS,WEIRD_PORT
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of lists@nabble.com designates
 216.139.236.158 as permitted sender)
Received: from [216.139.236.158] (HELO kuber.nabble.com) (216.139.236.158)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Sep 2009 01:51:51 +0000
Received: from isper.nabble.com ([192.168.236.156])
	by kuber.nabble.com with esmtp (Exim 4.63)
	(envelope-from <lists@nabble.com>)
	id 1Mif0U-0004sj-HT
	for users@tomcat.apache.org; Tue, 01 Sep 2009 18:51:30 -0700
Message-ID: <25250419.post@talk.nabble.com>
Date: Tue, 1 Sep 2009 18:51:30 -0700 (PDT)
From: Shantanu Upadhyaya <shantanu.u@gmail.com>
To: users@tomcat.apache.org
Subject: How do I remove 'S' from HTTPS - JAAS configured on tomcat, JSF
 webapp
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Nabble-From: shantanu.u@gmail.com
X-Virus-Checked: Checked by ClamAV on apache.org


How do I remove HTTPS after login in ? I have read other posts. I still need
this thread as it has to do with JAAS on tomcat. Please read on. For the
hasty, jump to 9 onwards.

My UI stack is as follows :
* JSF 1.2, Facelets, Richfaces 3.2.1
* JAAS
* Tomcat 6

0. Relevant web.xml entries
	<security-constraint>
		<display-name>User Login Page</display-name>
		<web-resource-collection>
			<web-resource-name>Login Resource</web-resource-name>
			<url-pattern>/pages/secure/*</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
    		</web-resource-collection>
		<auth-constraint>
			<role-name>User</role-name>
		</auth-constraint>
		<user-data-constraint>
			<transport-guarantee>CONFIDENTIAL</transport-guarantee>
		</user-data-constraint>
	</security-constraint>
	...
	...
	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>projx</realm-name>
		<form-login-config>
			<form-login-page>/pages/login/login.jsf</form-login-page>
			<form-error-page>/pages/login/loginerror.jsf</form-error-page>
		</form-login-config>
	</login-config>

0.1 Login page :

		<rich:panel id="loginPanel">
		<f:facet name="header">Login Panel</f:facet>
		<f:verbatim>
			<form method="post" action="j_security_check ">
				<table><tr>
						<td>User Id</td>
						<td><input type="text" name="j_username" /></td>
					</tr>
					<tr>
						<td>Password</td>
						<td><input type="password" name="j_password" /></td>						
					</tr>
					<tr>
						<td align="center">
							<input type="submit" value="Login"  />
						</td>
				</tr></table>					
			</form>
		</f:verbatim>
		</rich:panel>

1. SSL Enabled Login page
2. Rest are non SSL-pages
3. JAAS Configured with some page requiring login (therefore fwd to SSL)
4. Homepage has 'Login' hyperlink -- which points to
-->/pages/secure/Userhomepage.jsf

Simple Login Usercase
------------------------
5. User clicks on 'Login' hyperlink

6. Tomcat CMA intercepts and takes user to /pages/login/login.jsf 
   but URL shows
   https://localhost:8443/abc/pages/secure/Userhomepage.jsf

7. User keys in credentials and login is successful

8. Userhomepage.jsf http response is generated and shown on browser BUT URL
is still
   https://localhost:8443/abc/pages/secure/Userhomepage.jsf


Problem
---------

9. HTTPS should not be show from 8 onwards. How do I remove it ?

Questions
------------

10. I know that HTTPS has to be programattically removed. But between
    7 and 8, How do I do it ? 
    a) Where do I put a URL rewrite filter code ? It won't even be invoked..
   
    b) How can I do it programmatically when the redirection is being 
       done by Tomcat ?


On a side note (question on JAAS configured on Tomcat )
-------------------------------------------------------

11. Why do I have to declare '/pages/secure/*' with 
		<auth-constraint>
			<role-name>User</role-name>
		</auth-constraint>
    ? 
12. Why isn't there a way to just forward to login.jsf which forwards to
j_security_check ?
        

13. Is there a way to make Tomcat container aware of a JAASubject
    What I would really like is a Richfaces modal panel for a login ?
       
Such a simple use case has become really complicated. Instead of
flexibility,
across presentation layers, it's ties you down to a one mechanism.
Very frustrating.

Thank you ! 
-- 
View this message in context: http://www.nabble.com/How-do-I-remove-%27S%27-from-HTTPS---JAAS-configured-on-tomcat%2C-JSF-webapp-tp25250419p25250419.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org