shumbola wrote:
Upayavira-2 wrote:
shumbola wrote:
I want to be able to switch to SSL when SignIn page showed to a user and
if
successful, then switch back to normal HTTP protocol. I'm using
wicket-1.3.
We recently had a security firm audit our application. They pointed out
that such an approach is flawed.
Basically, you secure the transfer of username/passwords, but from then
on, you pass a session cookie unprotected. For the lifespan of that
cookie, gaining access to the cookie would grant the same access to the
application as would the username/password.
Therefore, by rights, if you wish to protect the transfer of
username/password, the entire application should use SSL.
Hope I'm not missing something.
Regards, Upayavira
In my Application class I've come up with the following:
protected IRequestCycleProcessor newRequestCycleProcessor() {
return new WebRequestCycleProcessor() {
public void respond(RequestCycle requestCycle) {
IRequestTarget target = requestCycle.getRequestTarget();
WebResponse response = (WebResponse)
requestCycle.getResponse();
WebRequest request = (WebRequest)
requestCycle.getRequest();
HttpServletRequest httpServletRequest =
request.getHttpServletRequest();
if(target instanceof BookmarkablePageRequestTarget) {
if(((BookmarkablePageRequestTarget)target).getPage()
instanceof SignIn &&
!httpServletRequest.isSecure())
{
StringBuffer url = new StringBuffer("https://";);
url.append(httpServletRequest.getServerName());
url.append(":").append(HTTPS_PORT);
String s =
RequestCycle.get().urlFor(target).toString();
url.append("/app/").append(s);
response.redirect(url.toString());
}
else if
(((BookmarkablePageRequestTarget)target).getPage() instanceof Home &&
httpServletRequest.isSecure()) {
StringBuffer url = new StringBuffer("http://";);
url.append(httpServletRequest.getServerName());
url.append(":").append(HTTP_PORT);
String s =
RequestCycle.get().urlFor(target).toString();
url.append("/app/").append(s);
response.redirect(url.toString());
} else
target.respond(requestCycle);
}
else
target.respond(requestCycle);
}
};
}
It kinda works but I'm not sure if I'm doing it right way. And I'm not
sure
if it is bug free. I dont fully understand how wicket requestcycle works,
so
I need your help there.
Thanks.
shumbola
Doesn't yahoo mail, gmail, etc work that way?
When I go to my yahoo mail it switches to the SSL signin page and after
switches back to the http. Or is there additional protection then?
Not aware of any additional protection. If they are using a session key,
that could be hijacked. Use the firefox webdeveloper plugin to view
request headers and see what a snooper could find. Then make your own
decision. It is your site and you need to decide upon the level of
security required.
Regards, Upayavira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
