On Dec 2, 2013, at 3:43 PM, Dave <[email protected]> wrote: > On Sat, Nov 30, 2013 at 2:04 PM, Glen Mazza <[email protected]> wrote: > >> Hi, for a Roller installation I'd like to secure the site so my login >> password isn't being sent via cleartext, but at the same time not have the >> entire blog on >> SSL for performance reasons (blog readers will never log in, so if they >> can use HTTP alone that would be good.) I see these possibilities: >> >> 1.) Activate SSL for the login page only, and keep the rest HTTP-only. Is >> that doable with Roller and would provide sufficient security? I.e., I'm >> not sure if any cookies sent back and forth during subsequent edits would >> create security problems akin to sending the password cleartext if those >> cookies themselves weren't encrypted. >> > > That would work and I think going all SSL is not a bad option these days. > However, you need to get a validated cert and that costs money on the order > of a couple hundred bucks last time I checked. > > > >> 2.) Use two URLs--Use https:// for the entire site for myself only, >> since I'm the only one logging in, but use cleartext HTTP for blog readers. >> This could work but I'm concerned any Google returns for blog articles >> would point to the https:// and not the http:// URL. >> > > Security experts warn against this, but I've seen it implemented in > production several times (with Roller) and nothing bad happened (that I > know about). Still, you have the cost of getting a validated cert. I'm not > sure of the status of our SSL enforcement filter (to force SSL for login > and password change pages). Maybe it is not needed and Spring Security > already has something?
Yes, Spring Security already has support for switching b/w http and https for certain URLs. http://docs.spring.io/spring-security/site/docs/3.0.x/reference/ns-config.html#ns-requires-channel > >> >> 3.) Use Open ID to authenticate -- this could(?) allow me to keep the blog >> 100% HTTP-only while keeping the third-party authentication on SSL. >> > > This might be the best option because you don't have to buy a cert. The one > wrinkle is that we may have borked OpenID support with our recent > dependency changes, not sure tho. > > Hope that helps. > > - Dave
