Hi!
By adding <user-data-constraint> to the dspace web.xml file,
password-login page could be accessed using HTTPS, redirected
automatically from HTTP access. But after entering uid and pwd,
connection is made through HTTP session and a message is displayed about
the non-secure connection. But if the first attempt is a failure, then
the second attempt will connect through HTTPS. Not sure why the SSL sign
goes off when authentication is successful in the first attempt and
stays on for the second attempt and subsequent steps. Will this create a
problem in generating handlers? Any suggestions regarding this behavior
Thanks,
Jayan
<security-constraint>
<web-resource-collection>
<web-resource-name>
Protected Site
</web-resource-name>
<url-pattern>/profile</url-pattern>
<url-pattern>/register</url-pattern>
<url-pattern>/password-login</url-pattern>
<url-pattern>/ldap-login</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name> test </role-name>
</auth-constraint>
</security-constraint>
________________________________
From: Jayan Chirayath Kurian
Sent: Friday, May 25, 2007 5:32 PM
To: [email protected]
Cc: Stuart Lewis [sdl]
Subject: Enabling HTTPS access for secure pages only.
Hi! stuart
I wish to make password-login page(secure pages)access through HTTPS.
For this I uncommented the "8443" port code in tomcat server.xml and has
redirectPort="8443" in 8080 port code.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="c:\keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />
<Connector port="8080" protocol="HTTP/1.1"
maxThreads="150" connectionTimeout="20000"
enableLookups="false"
redirectPort="8443" />
In Dpsace web.xml (given below), I added the following security
constraints. Are there any modifications to be made in source code for
activating HTTPS access for password-login page and other secure pages?
I have gone through the link sent by Stuart.
http://wiki.dspace.org/index.php/ServletSecurity. Any help is
appreciated in this. Will these changes effect handlers in DSpace.
Thanks,
Jayan
<security-constraint>
<web-resource-collection>
<web-resource-name>
Protected Site
</web-resource-name>
<url-pattern>/profile</url-pattern>
<url-pattern>/register</url-pattern>
<url-pattern>/password-login</url-pattern>
<url-pattern>/ldap-login</url-pattern>
<http-method> DELETE </http-method>
<http-method> GET </http-method>
<http-method> POST </http-method>
<http-method> PUT </http-method>
</web-resource-collection>
<auth-constraint>
<!-- Roles that have access -->
<role-name> test </role-name>
</auth-constraint>
</security-constraint>
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
