users@glassfish.java.net

How to only secure the login page

From: <glassfish_at_javadesktop.org>
Date: Mon, 15 Oct 2007 21:39:16 PDT

I'm trying implement a secure form based login using https for my web application. What I want is for only the login page to use https, with the rest of the application using http. My problem is I get all or nothing. If I specify transport-guarantee CONFIDENTIAL for the application's jsp and Servlets, https is always applied to the user session (obviously) - but if I specify a security constraint for the login page with transport-guarantee CONFIDENTIAL, Glassfish seems to ignore the fact it is using the login.jsp and uses the security constraint for the requested resource instead. Below is the security related portion of the web.xml that I'm using.

Thanks in advance


Spencer


<security-constraint>
        <display-name>webAdminConstraint</display-name>
        <web-resource-collection>
            <web-resource-name>Admin Resources</web-resource-name>
            <description/>
            <url-pattern>*.do</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>Administrator</role-name>
            </auth-constraint>
        </security-constraint>
    <security-constraint>
        <display-name>Login</display-name>
        <web-resource-collection>
            <web-resource-name>Secure Login</web-resource-name>
            <description>HTTPS login</description>
            <url-pattern>/jsp/login.jsp</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>Administrator</role-name>
            </auth-constraint>
        <user-data-constraint>
            <description/>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
        </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>File</realm-name>
        <form-login-config>
            <form-login-page>/jsp/logon.jsp</form-login-page>
            <form-error-page>/jsp/logon-error.jsp</form-error-page>
            </form-login-config>
        </login-config>
    <security-role>
        <description>Allows full access to the system</description>
        <role-name>Administrator</role-name>
    </security-role>
[Message sent by forum member 'spencerthomo' (spencerthomo)]

http://forums.java.net/jive/thread.jspa?messageID=240281