web.xml question
Hello all. I hope your day is going well. I need your help. I cannot get a forms based login page to use SSL when I think I've setup the web.xml correctly. Why doesn't my login.jsp use HTTPS when tomcat is invoking it for authorization? (more details at the bottom) Here are the relevant sections of my web.xml: - !-- BEGIN_LOGIN_SECURITY -- security-constraint web-resource-collection web-resource-nameLogin page/web-resource-name url-pattern/login.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection !-- Enable this for SSL -- user-data-constraint transport-guaranteeCONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint !-- END_LOGIN_SECURITY -- !-- === -- !-- LOGIN AUTHENTICATION -- !-- Form authentaication requires SSL -- login-config auth-methodFORM/auth-method realm-nameApplication/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/error_401.html/form-error-page /form-login-config /login-config security-constraint web-resource-collection web-resource-nameVoIP Monitor Applications/web-resource-name url-pattern/CallQDiagnostics.jsp/url-pattern url-pattern/report_index.jsp/url-pattern url-pattern/CallQAnalysis.jsp/url-pattern url-pattern/index.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemonitor_tier1/role-name role-namemonitor_guest/role-name role-namemonitor_admin/role-name role-namemonitor_tier3/role-name /auth-constraint !-- Enable this for SSL -- user-data-constraint transport-guaranteeNONE /transport-guarantee /user-data-constraint /security-constraint -- So here is what happens. I type the full URL to the CallQAnalsysis.jsp (for example) and the login.jsp is invoked BUT it has NOT been redirected to the HTTPS connector (which is enabled and working). Now if I type the address of the login.jsp directly, then the connection is redirected over HTTPS. Why doesn't the login.jsp use HTTPS when tomcat is invoking it for authorization? Any help figuring out what I am doing wrong is greatly appreciated. Sincerely, Dennis Klotz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: web.xml question
Security constraints are only imposed on the incoming URL. Long story short - you'll need to place the entire webapp in SSL. There is no clean way to use declarative statements to force the login to be SSL and the rest of the webapp be nonssl. -Tim Klotz Jr, Dennis wrote: Hello all. I hope your day is going well. I need your help. I cannot get a forms based login page to use SSL when I think I've setup the web.xml correctly. Why doesn't my login.jsp use HTTPS when tomcat is invoking it for authorization? (more details at the bottom) Here are the relevant sections of my web.xml: - !-- BEGIN_LOGIN_SECURITY -- security-constraint web-resource-collection web-resource-nameLogin page/web-resource-name url-pattern/login.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection !-- Enable this for SSL -- user-data-constraint transport-guaranteeCONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint !-- END_LOGIN_SECURITY -- !-- === -- !-- LOGIN AUTHENTICATION -- !-- Form authentaication requires SSL -- login-config auth-methodFORM/auth-method realm-nameApplication/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/error_401.html/form-error-page /form-login-config /login-config security-constraint web-resource-collection web-resource-nameVoIP Monitor Applications/web-resource-name url-pattern/CallQDiagnostics.jsp/url-pattern url-pattern/report_index.jsp/url-pattern url-pattern/CallQAnalysis.jsp/url-pattern url-pattern/index.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemonitor_tier1/role-name role-namemonitor_guest/role-name role-namemonitor_admin/role-name role-namemonitor_tier3/role-name /auth-constraint !-- Enable this for SSL -- user-data-constraint transport-guaranteeNONE /transport-guarantee /user-data-constraint /security-constraint -- So here is what happens. I type the full URL to the CallQAnalsysis.jsp (for example) and the login.jsp is invoked BUT it has NOT been redirected to the HTTPS connector (which is enabled and working). Now if I type the address of the login.jsp directly, then the connection is redirected over HTTPS. Why doesn't the login.jsp use HTTPS when tomcat is invoking it for authorization? Any help figuring out what I am doing wrong is greatly appreciated. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: web.xml question
Thanks for your reply. I really hope that isn't the case. I really do not want the computational overhead of SSL for the rest of my web application. We are sending back thousands of rows of data. Paulo, my co-worker, figured out that he could use a redirect inside of the login.jsp to force the use of https but that in itself has problems. For example, if you directly type the URL of that login.jsp you will get a 400 error. (the login.jsp is no longer transparent - at least that is my understanding) I find this a hard pill to swallow :) that one must enable SSL for the whole webapp if you wish to use a form based login. -Dennis -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 10:34 AM To: Tomcat Users List Subject: Re: web.xml question Security constraints are only imposed on the incoming URL. Long story short - you'll need to place the entire webapp in SSL. There is no clean way to use declarative statements to force the login to be SSL and the rest of the webapp be nonssl. -Tim Klotz Jr, Dennis wrote: Hello all. I hope your day is going well. I need your help. I cannot get a forms based login page to use SSL when I think I've setup the web.xml correctly. Why doesn't my login.jsp use HTTPS when tomcat is invoking it for authorization? (more details at the bottom) Here are the relevant sections of my web.xml: - !-- BEGIN_LOGIN_SECURITY -- security-constraint web-resource-collection web-resource-nameLogin page/web-resource-name url-pattern/login.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection !-- Enable this for SSL -- user-data-constraint transport-guaranteeCONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint !-- END_LOGIN_SECURITY -- !-- === -- !-- LOGIN AUTHENTICATION -- !-- Form authentaication requires SSL -- login-config auth-methodFORM/auth-method realm-nameApplication/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/error_401.html/form-error-page /form-login-config /login-config security-constraint web-resource-collection web-resource-nameVoIP Monitor Applications/web-resource-name url-pattern/CallQDiagnostics.jsp/url-pattern url-pattern/report_index.jsp/url-pattern url-pattern/CallQAnalysis.jsp/url-pattern url-pattern/index.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemonitor_tier1/role-name role-namemonitor_guest/role-name role-namemonitor_admin/role-name role-namemonitor_tier3/role-name /auth-constraint !-- Enable this for SSL -- user-data-constraint transport-guaranteeNONE /transport-guarantee /user-data-constraint /security-constraint -- So here is what happens. I type the full URL to the CallQAnalsysis.jsp (for example) and the login.jsp is invoked BUT it has NOT been redirected to the HTTPS connector (which is enabled and working). Now if I type the address of the login.jsp directly, then the connection is redirected over HTTPS. Why doesn't the login.jsp use HTTPS when tomcat is invoking it for authorization? Any help figuring out what I am doing wrong is greatly appreciated. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: web.xml question
Tim, I'm not an expert with tomcat but how does a site like samsclub.com do it then? I use their site a lot and it runs jsp's and most of the stuff is unsecure (http) but when I get ready to do the actual purchase and log in it is a secure site (https). Is there something that they are doing, possibly masquerading the url or something? Again not an expert, but something I have been interested in for some time myself. Dean 8-) -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 10:34 AM To: Tomcat Users List Subject: Re: web.xml question Security constraints are only imposed on the incoming URL. Long story short - you'll need to place the entire webapp in SSL. There is no clean way to use declarative statements to force the login to be SSL and the rest of the webapp be nonssl. -Tim Klotz Jr, Dennis wrote: Hello all. I hope your day is going well. I need your help. I cannot get a forms based login page to use SSL when I think I've setup the web.xml correctly. Why doesn't my login.jsp use HTTPS when tomcat is invoking it for authorization? (more details at the bottom) Here are the relevant sections of my web.xml: - !-- BEGIN_LOGIN_SECURITY -- security-constraint web-resource-collection web-resource-nameLogin page/web-resource-name url-pattern/login.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection !-- Enable this for SSL -- user-data-constraint transport-guaranteeCONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint !-- END_LOGIN_SECURITY -- !-- === -- !-- LOGIN AUTHENTICATION -- !-- Form authentaication requires SSL -- login-config auth-methodFORM/auth-method realm-nameApplication/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/error_401.html/form-error-page /form-login-config /login-config security-constraint web-resource-collection web-resource-nameVoIP Monitor Applications/web-resource-name url-pattern/CallQDiagnostics.jsp/url-pattern url-pattern/report_index.jsp/url-pattern url-pattern/CallQAnalysis.jsp/url-pattern url-pattern/index.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemonitor_tier1/role-name role-namemonitor_guest/role-name role-namemonitor_admin/role-name role-namemonitor_tier3/role-name /auth-constraint !-- Enable this for SSL -- user-data-constraint transport-guaranteeNONE /transport-guarantee /user-data-constraint /security-constraint -- So here is what happens. I type the full URL to the CallQAnalsysis.jsp (for example) and the login.jsp is invoked BUT it has NOT been redirected to the HTTPS connector (which is enabled and working). Now if I type the address of the login.jsp directly, then the connection is redirected over HTTPS. Why doesn't the login.jsp use HTTPS when tomcat is invoking it for authorization? Any help figuring out what I am doing wrong is greatly appreciated. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: web.xml question
I would bet they are not using security constraints as defined in web.xml. I would bet they are using a 3rd party solution implemented as a Servlet Filter or something application server specific to handle this login issue. Notice they do not use JSESSIONID but something called BV_SessionID as parameter in the query string. A quick google search seems to show they use BroadVision. -Tim Dean Searle wrote: Tim, I'm not an expert with tomcat but how does a site like samsclub.com do it then? I use their site a lot and it runs jsp's and most of the stuff is unsecure (http) but when I get ready to do the actual purchase and log in it is a secure site (https). Is there something that they are doing, possibly masquerading the url or something? Again not an expert, but something I have been interested in for some time myself. Dean 8-) -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 10:34 AM To: Tomcat Users List Subject: Re: web.xml question Security constraints are only imposed on the incoming URL. Long story short - you'll need to place the entire webapp in SSL. There is no clean way to use declarative statements to force the login to be SSL and the rest of the webapp be nonssl. -Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: web.xml question
I was planning on doing this by having Apache handle the SSL and using its configuration file to differentiate between SSL'd areas of the site and non-SSL'd areas. Is this an option or should i rethink this? Tim Funk wrote: I would bet they are not using security constraints as defined in web.xml. I would bet they are using a 3rd party solution implemented as a Servlet Filter or something application server specific to handle this login issue. Notice they do not use JSESSIONID but something called BV_SessionID as parameter in the query string. A quick google search seems to show they use BroadVision. -Tim Dean Searle wrote: Tim, I'm not an expert with tomcat but how does a site like samsclub.com do it then? I use their site a lot and it runs jsp's and most of the stuff is unsecure (http) but when I get ready to do the actual purchase and log in it is a secure site (https). Is there something that they are doing, possibly masquerading the url or something? Again not an expert, but something I have been interested in for some time myself. Dean 8-) -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 10:34 AM To: Tomcat Users List Subject: Re: web.xml question Security constraints are only imposed on the incoming URL. Long story short - you'll need to place the entire webapp in SSL. There is no clean way to use declarative statements to force the login to be SSL and the rest of the webapp be nonssl. -Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
