users@glassfish.java.net

Re: How to only secure the login page

From: Sahoo <Sahoo_at_Sun.COM>
Date: Tue, 16 Oct 2007 11:59:38 +0530

Can you check your web.xml again? You have configured login page as
jsp/logon.jsp, yet you have specified /jsp/login.jsp as the URL pattern
in <security-constraint>.

Thanks,
Sahoo

glassfish_at_javadesktop.org wrote:
> I'm trying implement a secure form based login using https for my web application. What I want is for only the login page to use https, with the rest of the application using http. My problem is I get all or nothing. If I specify transport-guarantee CONFIDENTIAL for the application's jsp and Servlets, https is always applied to the user session (obviously) - but if I specify a security constraint for the login page with transport-guarantee CONFIDENTIAL, Glassfish seems to ignore the fact it is using the login.jsp and uses the security constraint for the requested resource instead. Below is the security related portion of the web.xml that I'm using.
>
> Thanks in advance
>
>
> Spencer
>
>
> <security-constraint>
> <display-name>webAdminConstraint</display-name>
> <web-resource-collection>
> <web-resource-name>Admin Resources</web-resource-name>
> <description/>
> <url-pattern>*.do</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>HEAD</http-method>
> <http-method>PUT</http-method>
> <http-method>OPTIONS</http-method>
> <http-method>TRACE</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description/>
> <role-name>Administrator</role-name>
> </auth-constraint>
> </security-constraint>
> <security-constraint>
> <display-name>Login</display-name>
> <web-resource-collection>
> <web-resource-name>Secure Login</web-resource-name>
> <description>HTTPS login</description>
> <url-pattern>/jsp/login.jsp</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>HEAD</http-method>
> <http-method>PUT</http-method>
> <http-method>OPTIONS</http-method>
> <http-method>TRACE</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description/>
> <role-name>Administrator</role-name>
> </auth-constraint>
> <user-data-constraint>
> <description/>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>File</realm-name>
> <form-login-config>
> <form-login-page>/jsp/logon.jsp</form-login-page>
> <form-error-page>/jsp/logon-error.jsp</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <description>Allows full access to the system</description>
> <role-name>Administrator</role-name>
> </security-role>
> [Message sent by forum member 'spencerthomo' (spencerthomo)]
>
> http://forums.java.net/jive/thread.jspa?messageID=240281
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>