I'm also struggling with https-related issues.
Just for future reference, the servlet spec allows the following to be
specified in the web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>Encrypted Area</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This will ensure that any direct access to a url starting with "/secure"
will automatically be sent a redirect to https. For Tomcat the port used
is whatever is specified in the tomcat server.xml file as the
"redirectPort".
This might suit you, and would be the easiest solution if it does.
There are a couple of problems with this though:
(a) There is no way to switch *out* of https using this mechanism AFAIK.
The <transport-guarantee> tag can take one of these constants:
CONFIDENTIAL (https)
INTEGRAL (https)
NONE
The NONE value allows anything, so an https request stays in https. If
this supported an INSECURE tag life would be much easier!
(b) This doesn't appear to catch internal forwards (in Tomcat 5.5 at
least). So a JSF navigation rule without a redirect won't trigger the
switch. And unfortunately neither will an internal forward to the login
page caused by a security constraint :-(. The login one is particularly
nasty; if someone accesses a secure page using http, then what is
usually wanted is for the user to be redirected to the login page using
https. However instead what happens is that the browser is served the
contents of the login page without a redirect (just an internal
forward). The browser URL bar therefore does not show https and the
"action" url in the login form will be interpreted relative to the "last
known" url - which is http. It is possible to use an absolute https url
for the form action but it's tricky, and the user doesn't get any
feedback to confirm that the credentials *are* actually posted in https.
I'm currently experimenting with filter-based solutions. I would suggest
investigating the Spring ACEGI project; it might have a better solution
pre-built (it's not an option for me for various reasons). Using Spring
with JSF is great BTW...
Regards,
Simon
Andrew Robinson wrote:
Two methods:
1) In your action or actionListener use the external context to send a
redirect or
2) Use a custom navigation handler that builds a URL then changes the
protocol
On 5/2/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Does anyone have any tips how you can implement navigating to and from
an HTTPS URL from a commandLink or commandButton?
