How do I remove HTTPS after login in ? I have read other posts. I still need this thread as it has to do with JAAS on tomcat. Please read on. For the hasty, jump to 9 onwards.
My UI stack is as follows : * JSF 1.2, Facelets, Richfaces 3.2.1 * JAAS * Tomcat 6 0. Relevant web.xml entries <security-constraint> <display-name>User Login Page</display-name> <web-resource-collection> <web-resource-name>Login Resource</web-resource-name> <url-pattern>/pages/secure/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>User</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... ... <login-config> <auth-method>FORM</auth-method> <realm-name>projx</realm-name> <form-login-config> <form-login-page>/pages/login/login.jsf</form-login-page> <form-error-page>/pages/login/loginerror.jsf</form-error-page> </form-login-config> </login-config> 0.1 Login page : <rich:panel id="loginPanel"> <f:facet name="header">Login Panel</f:facet> <f:verbatim> <form method="post" action="j_security_check "> <table><tr> <td>User Id</td> <td><input type="text" name="j_username" /></td> </tr> <tr> <td>Password</td> <td><input type="password" name="j_password" /></td> </tr> <tr> <td align="center"> <input type="submit" value="Login" /> </td> </tr></table> </form> </f:verbatim> </rich:panel> 1. SSL Enabled Login page 2. Rest are non SSL-pages 3. JAAS Configured with some page requiring login (therefore fwd to SSL) 4. Homepage has 'Login' hyperlink -- which points to -->/pages/secure/Userhomepage.jsf Simple Login Usercase ------------------------ 5. User clicks on 'Login' hyperlink 6. Tomcat CMA intercepts and takes user to /pages/login/login.jsf but URL shows https://localhost:8443/abc/pages/secure/Userhomepage.jsf 7. User keys in credentials and login is successful 8. Userhomepage.jsf http response is generated and shown on browser BUT URL is still https://localhost:8443/abc/pages/secure/Userhomepage.jsf Problem --------- 9. HTTPS should not be show from 8 onwards. How do I remove it ? Questions ------------ 10. I know that HTTPS has to be programattically removed. But between 7 and 8, How do I do it ? a) Where do I put a URL rewrite filter code ? It won't even be invoked.. b) How can I do it programmatically when the redirection is being done by Tomcat ? On a side note (question on JAAS configured on Tomcat ) ------------------------------------------------------- 11. Why do I have to declare '/pages/secure/*' with <auth-constraint> <role-name>User</role-name> </auth-constraint> ? 12. Why isn't there a way to just forward to login.jsf which forwards to j_security_check ? 13. Is there a way to make Tomcat container aware of a JAASubject What I would really like is a Richfaces modal panel for a login ? Such a simple use case has become really complicated. Instead of flexibility, across presentation layers, it's ties you down to a one mechanism. Very frustrating. Thank you ! -- View this message in context: http://www.nabble.com/How-do-I-remove-%27S%27-from-HTTPS---JAAS-configured-on-tomcat%2C-JSF-webapp-tp25250419p25250419.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org