Hi there,
Q1: this is the relevant part of web.xml:
<security-constraint>
<display-name>Login</display-name>
<web-resource-collection>
<web-resource-name>Main</web-resource-name>
<url-pattern>/pages/main.jsf</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
For all that matters, note that main.jsf is the main page of the web application, and it also contains the login controls. The root file index.jsp redirects to it, see below -- maybe it's also relevant:
<%@taglib uri="
http://java.sun.com/jstl/core" prefix="c"%>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "
http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<c:redirect url="pages/main.jsf"></c:redirect>
</body>
</html>
Q2: How do you mean it's not possible ? All web sites do that, they do not stay in HTTPS forever ! That would consume a lot of server computing power.
I think that once the login succeeded, a session bean on the server side should store the user data for the duration of the session and use it accordingly (country, language, locale, preferences etc.); however, subsequent pages should not be encrypted.
[Message sent by forum member 'memox26' (memox26)]
http://forums.java.net/jive/thread.jspa?messageID=328248