Hi Steven,
I believe you can bypass navigation rules by doing this in an action method:
facesContext.getExternalContext.().redirect(url);
As thr documentation for this method states, this calls
facesContext.responseComplete();
which will prevent later stuff like navigation rules from processing.
Regards,
Simon
Steven Gollery wrote:
"...send a redirect to the current page, replacing https with http...."
Exactly what I don't see how to do. Is there some way to set the protocol in
a navigation-rule? Or is there another way to do a redirect in JSF?
Steven Gollery
Andrew Robinson-5 wrote:
If you don't care about remembering the user, then just use the
sandbox form control. It allows you to set the protocol for a form
post. Otherwise, if you are already on the server, send a redirect to
the current page, replacing https with http.
On 11/8/06, Steven Gollery <[EMAIL PROTECTED]> wrote:
Okay -- let me expand the use case a bit.
The site has two parts, one public and one private. A user logs in, does
whatever he needs to do in the secure area, and then logs out. At that
point, I would like to go back to using http instead of https.
But I can't find the way to do this. Changing the cookie from secure=true
to
secure=false doesn't switch from https to http. Neither does setting the
cookie's maxAge to 0.
As far as I can see, once a JSF site is using https, there's no way to
switch back to http, even though this is a common requirement for
real-world
sites (example: every online shopping site I've ever seen).
What am I missing?
Steven Gollery
Andrew Robinson-5 wrote:
No there isn't a safe way to do this, especially if you are using
401/HTTP authentication. The cookie that stores the servlet session ID
is marked as secure and therefore cannot be viewed outside of HTTPS.
Once you leave HTTPS and enter HTTP, a new servlet session will be
started and you will not have access to any of your HTTPS information.
If you forced the HTTPS cookie into not-secure mode, you now open your
application to impersonation attacks. Anyone could easily snag that
cookie definition from the HTTP request headers and impersonate that
user, bypassing login. The one way to have a secure application is to
stay in HTTPS.
If you aren't worried about impersonation attacks and don't care much
about user's security, just set the cookie's secure flag to false.
On 11/3/06, Steven Gollery <[EMAIL PROTECTED]> wrote:
I'm using the sandbox s:form component to send login information over
https.
This works fine. Now the problem is: I don't want to run the whole
site
in
https after users login, so I'd like to switch back somehow for the
next
page. Any way to do that?
--
View this message in context:
http://www.nabble.com/leaving-https-tf2570694.html#a7166089
Sent from the MyFaces - Users mailing list archive at Nabble.com.
--
View this message in context:
http://www.nabble.com/leaving-https-tf2570694.html#a7241966
Sent from the MyFaces - Users mailing list archive at Nabble.com.
