I am using form-based authentication form my application and I'd like to require SSL for the login and then redirect to http for the rest of the application. I've found this article and source code helpful:
http://www.javaworld.com/javaworld/jw-02-2002/jw-0215-ssl.html I'm also encrypting the password before I send it to the container-managed authentication using a variation of this: http://www.mail-archive.com/[email protected]/msg22257.html I'm protecting /do/* and mapping this to my action class. Everything is working great when I use only one protocol, when I try to switch b/w the two during login, I'm having difficulty. My login page has an action of "auth/" which maps to a LoginAction servlet (regular servlet) which encrypts the password and redirects to "j_security_check" with username and password. Attempted solution 1: If I use <transport-guarantee>CONFIDENTIAL</transport-guarantee> in my web.xml and I try to access a protected resource, Mozilla will automatically switch me to https and present me with my login-page. Slick! IE gives me a "Server Not Found" error :-( I'm using the latest versions of both on the latest mac and win platforms. Problem: This makes all /do/* resources (which is everything in my app except the welcome page) require SSL. I don't want this, only the login page. Attempted solution 2: Added javascript to my welcome page that redirects to an https version of the page. Problem: This works as long as users always enter the app from the welcome page - doesn't solve the problem of when users bookmark locations in my app. I think form-based authentication is very slick for allowing bookmarks. Solution #1 solves this problems for Mozilla, but also requires SSL for the entire app. Attempted solution 3: Used the SSL-Ext as explained in the Javaworld article above. Change <transport-guarantee> to NONE. Use solution #2 to make https used on login screen. I'm only using this in my Struts action classes after a user hits the /do/* mapping. Problem: Doesn't solve bookmark issue. This works GREAT in IE 6, I click login and I get a message that states "You are being redirected to a connection that is not secure." I click Yes and I'm good to go - very similar to what happens when a user logs into Yahoo Mail and uses "secure" mode. In Mozilla, this is a whole other issue, what happens is that I'm directed to the login page using https, I enter my information in, and then I'm redirected to the same login page using http (not SSL). I enter my credentials AGAIN, and then I'm authenticated. My log files for the two requests look quite different. You can see the tiles messages in the Mozilla log that shows the redirect to the login page again. Any ideas or comments? Any advice or help is appreciated, Matt LOG WHEN USING IE: ------------------------------------ DEBUG [HttpProcessor[8443][3]] [Init] LoginAction.execute(145) | Encrypting password for user 'admin ' DEBUG [HttpProcessor[8443][3]] [Init] LoginAction.execute(155) | Authenticating user 'admin' before URL: https://localhost:8443/onpoint/do/mainMenu.jsp after URL: http://localhost:8080/onpoint/do/mainMenu.jsp DEBUG [HttpProcessor[8443][3]] [Actions] BaseAction.checkSsl(66) | redirectString: http://localhost: 8080/onpoint/do/mainMenu.jsp before URL: http://localhost:8443/onpoint/do/mainMenu.jsp after URL: http://localhost:8080/onpoint/do/mainMenu.jsp DEBUG [HttpProcessor[8080][3]] [Actions] BaseAction.checkSsl(66) | redirectString: http://localhost: 8080/onpoint/do/mainMenu.jsp DEBUG [HttpProcessor[8080][3]] [Actions] BaseAction.checkSsl(66) | redirectString: null DEBUG [HttpProcessor[8080][3]] [Actions] DefaultAction.execute(77) | Requested URI: '/onpoint/do/mai nMenu.jsp' DEBUG [HttpProcessor[8080][3]] [Actions] DefaultAction.execute(78) | Forwarding to: '/mainMenu.jsp' LOG WHEN USING MOZILLA: ------------------------------------ DEBUG [HttpProcessor[8443][4]] [Init] LoginAction.execute(145) | Encrypting password for user 'admin ' DEBUG [HttpProcessor[8443][4]] [Init] LoginAction.execute(155) | Authenticating user 'admin' before URL: https://localhost:8443/onpoint/do/mainMenu.jsp after URL: http://localhost:8080/onpoint/do/mainMenu.jsp DEBUG [HttpProcessor[8443][3]] [Actions] BaseAction.checkSsl(66) | redirectString: http://localhost: 8080/onpoint/do/mainMenu.jsp insert page='/layouts/baseLayout.jsp'. insert page='/common/header.jsp'. insert page='/pages/login.jsp'. insert page='/common/footer.jsp'. insert page='/pages/menuHint.jsp'. DEBUG [HttpProcessor[8080][3]] [Init] LoginAction.execute(145) | Encrypting password for user 'admin ' DEBUG [HttpProcessor[8080][3]] [Init] LoginAction.execute(155) | Authenticating user 'admin' DEBUG [HttpProcessor[8080][3]] [Actions] BaseAction.checkSsl(66) | redirectString: null DEBUG [HttpProcessor[8080][3]] [Actions] DefaultAction.execute(77) | Requested URI: '/onpoint/do/mai nMenu.jsp' DEBUG [HttpProcessor[8080][3]] [Actions] DefaultAction.execute(78) | Forwarding to: '/mainMenu.jsp'
