Skip to main content

2 HTTPS questions

2 replies [Last post]
memox26
Offline
Joined: 2009-01-10

I'm using JSF on GlassFish for a web application.

Q1: If I setup web.xml to use SSL for the login page using HTTP POST, the following happens: the page is loaded normally, using HTTP; when pressing the Submit button the page is reloaded, this time using HTTPS; pressing the Submit button the second time, it does what is supposed to do (verify password, go to the user home page etc.) Why? And how to overcome this ?
Note that if I specify both GET and POST for this page, the page is loaded with HTTPS directly, and pressing Submit just once is enough (as it should).

Q2: After a successful login, the user is redirected to the home page, which is not listed in web.xml as CONFIDENTIAL; however, the browser stays in HTTPS. How do I convince it to go back to HTTP ?

Cheers,
Memo

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
kumarjayanti
Offline
Joined: 2003-12-10

> I'm using JSF on GlassFish for a web application.
>
> Q1: If I setup web.xml to use SSL for the login page
> using HTTP POST, the following happens: the page is
> loaded normally, using HTTP; when pressing the Submit
> button the page is reloaded, this time using HTTPS;
> pressing the Submit button the second time, it does
> what is supposed to do (verify password, go to the
> user home page etc.) Why? And how to overcome this ?
> Note that if I specify both GET and POST for this
> page, the page is loaded with HTTPS directly, and
> pressing Submit just once is enough (as it should).
>
Can you post your web.xml. I would like to reproduce this and see.

> Q2: After a successful login, the user is redirected
> to the home page, which is [b]not[/b] listed in
> web.xml as CONFIDENTIAL; however, the browser stays
> in HTTPS. How do I convince it to go back to HTTP ?
>

This is not possible today. But why do you want to do that. What in your opinion should happen to the SSL session that was established after authentication ?.

memox26
Offline
Joined: 2009-01-10

Hi there,

Q1: this is the relevant part of web.xml:


Login

Main
/pages/main.jsf
POST

CONFIDENTIAL

For all that matters, note that main.jsf is the main page of the web application, and it also contains the login controls. The root file index.jsp redirects to it, see below -- maybe it's also relevant:

<%@taglib uri="http://java.sun.com/jstl/core" prefix="c"%>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>




Insert title here


Q2: How do you mean it's not possible ? All web sites do that, they do not stay in HTTPS forever ! That would consume a lot of server computing power.

I think that once the login succeeded, a session bean on the server side should store the user data for the duration of the session and use it accordingly (country, language, locale, preferences etc.); however, subsequent pages should not be encrypted.