You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by SO...@austin.rr.com on 2007/05/02 22:46:10 UTC
Navigation to and from an HTTPS URL
Does anyone have any tips how you can implement navigating to and from
an HTTPS URL from a commandLink or commandButton?
Re: Navigation to and from an HTTPS URL
Posted by Simon Kitching <si...@rhe.co.nz>.
I'm also struggling with https-related issues.
Just for future reference, the servlet spec allows the following to be
specified in the web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>Encrypted Area</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This will ensure that any direct access to a url starting with "/secure"
will automatically be sent a redirect to https. For Tomcat the port used
is whatever is specified in the tomcat server.xml file as the
"redirectPort".
This might suit you, and would be the easiest solution if it does.
There are a couple of problems with this though:
(a) There is no way to switch *out* of https using this mechanism AFAIK.
The <transport-guarantee> tag can take one of these constants:
CONFIDENTIAL (https)
INTEGRAL (https)
NONE
The NONE value allows anything, so an https request stays in https. If
this supported an INSECURE tag life would be much easier!
(b) This doesn't appear to catch internal forwards (in Tomcat 5.5 at
least). So a JSF navigation rule without a redirect won't trigger the
switch. And unfortunately neither will an internal forward to the login
page caused by a security constraint :-(. The login one is particularly
nasty; if someone accesses a secure page using http, then what is
usually wanted is for the user to be redirected to the login page using
https. However instead what happens is that the browser is served the
contents of the login page without a redirect (just an internal
forward). The browser URL bar therefore does not show https and the
"action" url in the login form will be interpreted relative to the "last
known" url - which is http. It is possible to use an absolute https url
for the form action but it's tricky, and the user doesn't get any
feedback to confirm that the credentials *are* actually posted in https.
I'm currently experimenting with filter-based solutions. I would suggest
investigating the Spring ACEGI project; it might have a better solution
pre-built (it's not an option for me for various reasons). Using Spring
with JSF is great BTW...
Regards,
Simon
Andrew Robinson wrote:
> Two methods:
>
> 1) In your action or actionListener use the external context to send a
> redirect or
> 2) Use a custom navigation handler that builds a URL then changes the
> protocol
>
> On 5/2/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
>> Does anyone have any tips how you can implement navigating to and from
>> an HTTPS URL from a commandLink or commandButton?
>>
Session and javax.faces.request.charset
Posted by Dfr <df...@wm.ru>.
Hello,
It is 3 questions.
1. As i understood afer reading t:saveState guide JSF dont sessions at
all to operate correctly.
Being curious i checked out my current app - all backing beans are in
"request" scope, i also cleaned all cookies out from browser, but any
JSF page still sending Set-Cookie header and holds session.
2. Also that strange that session contain single attribute:
"javax.faces.request.charset"
What even stranger is its value: ISO-8859-5, while i set UTF-8 in every
possible place in my pages.
So the question is: how gracefully change its value to UTF-8
(because charset sometimes broke while form submit) and why it lives in
session but not in application scope.
3. somtimes while form submit and if validation errors occur, inputs
fields charset get broken, it happen not every time, maybe 1 of 20 submits.
Re: Navigation to and from an HTTPS URL
Posted by William Keicher <wm...@gmail.com>.
Hi Andrew,
Another approach is to use a PhaseListener to cause the redirects. See the
following link for an example:
http://fr.sys-con.com/read/250254_2.htm
As for losing your session when transitioning from https to http, that helps
prevent session hijacking of a secure session. Depending on your use case,
you could first establish the session over an http request. Then it should
be maintained across subsequent jumps between http and https.
Bill
On 5/3/07, Andrew Robinson <an...@gmail.com> wrote:
>
> For the custom navigation handler, I don't have an example, but you
> could just setup some kind of pattern that you could parse via regex.
> Something like
>
> secure:/myview.xhtml
>
> Then in the navigation handler, see:
> private final static String SECURE = "secure:";
> ...
> if (viewId.startsWith(SECURE))
> {
> viewId = viewId.substring(SECURE.length());
> // see if the HttpServletRequest.isSecure() returns false
> // if so then:
> // get the faces external context
> // build the full URL including "https"
> // call external context.redirect
> // call context.responseComplete();
> }
> else ...
>
> You have to use a redirect one way or another, so it being in a
> navigation handler just makes it available to all action responses.
>
> Also, make sure you remember once you redirect the user, they may lose
> their session, and they definitely will if you redirect from HTTPS to
> HTTP. Servlets use a in-memory cookie to store the session ID. Since
> it is a cookie, it falls under the W3C specification for cookie
> handling. So for example, if the cookie is marked as secure, it cannot
> be seen from HTTP.
>
> Make sure you are not planning on authenticating them under HTTPS, and
> then redirecting them to HTTP and trying to retain an insecure session
> ID. If so, impersonation attacks would be a piece of cake against your
> code.
>
>
> On 5/3/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> > Andrew,
> >
> > Thanks for the tips. I think that method (1) can work for me in some
> > situations, but not in general. Would you happen to know or have any
> > examples for the method (2) [custom navigation handler]? I appreciate
> > your help *very* much!
> >
> >
> > ----- Original Message -----
> > From: Andrew Robinson <an...@gmail.com>
> > Date: Wednesday, May 2, 2007 3:50 pm
> > Subject: Re: Navigation to and from an HTTPS URL
> > To: MyFaces Discussion <us...@myfaces.apache.org>
> >
> > > Two methods:
> > >
> > > 1) In your action or actionListener use the external context to
> > > send a
> > > redirect or
> > > 2) Use a custom navigation handler that builds a URL then changes
> > > the protocol
> > >
> > > On 5/2/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> > > > Does anyone have any tips how you can implement navigating to and
> > > from> an HTTPS URL from a commandLink or commandButton?
> > > >
> > >
> >
>
Re: Navigation to and from an HTTPS URL - One Last Question
Posted by Andrew Robinson <an...@gmail.com>.
private final static String SECURE_PREFIX = "secure:";
@Override
public void handleNavigation(FacesContext context, String fromAction,
String outcome)
{
// outcome in the format of "secure:viewid"
if (outcome != null && outcome.startsWith(SECURE_PREFIX))
{
String viewId = outcome.substring(SECURE_PREFIX.length());
// note, this will only work for servlets, not portlets
HttpServletRequest req = (HttpServletRequest)context
.getExternalContext().getRequest();
if (!req.isSecure())
{
String url = context.getApplication().getViewHandler()
.getActionURL(context, viewId);
if (url != null)
{
url = context.getExternalContext().encodeActionURL(url);
StringBuilder sb = new StringBuilder("https://")
.append(req.getServerName()) // TODO: support alternate port #
.append(req.getContextPath())
.append(url);
context.getExternalContext().sendRedirect(sb.toString());
context.responseComplete();
}
}
}
else
super.handleNavigation(context, fromAction, outcome);
}
Note that this approach requires that your outcome is in a viewID format.
Other ideas to avoid that is to (1) use a custom view handler (and
parse the view ID there), (2) use a custom servlet filter to ensure
are secure (and make sure this filter fires on REQUEST, FORWARD and
INCLUDE) or (3) use web.xml to ensure the URL is secure/confidential,
and use <redirect /> in your navigation cases.
There may be other possibilities, but none are out of the box with JSF
1.1 (or 1.2 that I know of). If the navigation handler would have a
"String getViewId(FacesContext, String, String)" method, it would be
much better, but it doesn't (I've requested it be added to the
specification, but not sure how that is coming along).
-Andrew
On 5/4/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> Andrew,
>
> In your response, you wrote "build the full URL including 'https'".
> However, when you get the viewId in handleNavigation, it has the actual
> file name, e.g., "page.xhtml" (I am using facelets). However, I think
> (maybe I am wrong) that an actual URL has to be of the form "page.jsf"
> (if using ".jsf" as the filter url-pattern). Would it be safe to simply
> replace ".xhtml" with ".jsf" to form the URL (along with "https://")?
> Or is there a way to change the protocol to HTTPS and then just use the
> same viewId (without the "secure:" prefix)?
>
> Thanks!
>
> ----- Original Message -----
> From: Andrew Robinson <an...@gmail.com>
> Date: Thursday, May 3, 2007 1:41 pm
> Subject: Re: Navigation to and from an HTTPS URL
> To: MyFaces Discussion <us...@myfaces.apache.org>
>
> > > > For the custom navigation handler, I don't have an example, but
> > you> > could just setup some kind of pattern that you could parse
> > via regex.
> > > > Something like
> > > >
> > > > secure:/myview.xhtml
> > > >
> > > > Then in the navigation handler, see:
> > > > private final static String SECURE = "secure:";
> > > > ...
> > > > if (viewId.startsWith(SECURE))
> > > > {
> > > > viewId = viewId.substring(SECURE.length());
> > > > // see if the HttpServletRequest.isSecure() returns false
> > > > // if so then:
> > > > // get the faces external context
> > > > // build the full URL including "https"
> > > > // call external context.redirect
> > > > // call context.responseComplete();
> > > > }
> > > > else ...
> > > >
>
>
Re: Navigation to and from an HTTPS URL - One Last Question
Posted by SO...@austin.rr.com.
Andrew,
In your response, you wrote "build the full URL including 'https'".
However, when you get the viewId in handleNavigation, it has the actual
file name, e.g., "page.xhtml" (I am using facelets). However, I think
(maybe I am wrong) that an actual URL has to be of the form "page.jsf"
(if using ".jsf" as the filter url-pattern). Would it be safe to simply
replace ".xhtml" with ".jsf" to form the URL (along with "https://")?
Or is there a way to change the protocol to HTTPS and then just use the
same viewId (without the "secure:" prefix)?
Thanks!
----- Original Message -----
From: Andrew Robinson <an...@gmail.com>
Date: Thursday, May 3, 2007 1:41 pm
Subject: Re: Navigation to and from an HTTPS URL
To: MyFaces Discussion <us...@myfaces.apache.org>
> > > For the custom navigation handler, I don't have an example, but
> you> > could just setup some kind of pattern that you could parse
> via regex.
> > > Something like
> > >
> > > secure:/myview.xhtml
> > >
> > > Then in the navigation handler, see:
> > > private final static String SECURE = "secure:";
> > > ...
> > > if (viewId.startsWith(SECURE))
> > > {
> > > viewId = viewId.substring(SECURE.length());
> > > // see if the HttpServletRequest.isSecure() returns false
> > > // if so then:
> > > // get the faces external context
> > > // build the full URL including "https"
> > > // call external context.redirect
> > > // call context.responseComplete();
> > > }
> > > else ...
> > >
Re: Navigation to and from an HTTPS URL
Posted by Andrew Robinson <an...@gmail.com>.
Staying in HTTPS is required to ensure that the user who logged in is
the user accessing the HttpSession.
Downside to staying in HTTPS is that it is slower as both ends have to
handle encryption and decryption.
On 5/3/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> Andrew & Bill,
>
> So is it common form to stay in HTTPS once the user estasblishes a
> secure connection and authentication? Because if this is the case, then
> I don't have to really do anything special for navigation handling. Are
> there any downsides to continuing to use HTTPS? I am not sure I could
> gaurantee that the user (benign or malicious) wouldn't start from my
> HTTPS login URL rather than from the HTTP main page URL.
>
> Thanks again for your valuable input.
>
>
>
> ----- Original Message -----
> From: Andrew Robinson <an...@gmail.com>
> Date: Thursday, May 3, 2007 10:22 am
> Subject: Re: Navigation to and from an HTTPS URL
> To: MyFaces Discussion <us...@myfaces.apache.org>
>
> > For the custom navigation handler, I don't have an example, but you
> > could just setup some kind of pattern that you could parse via regex.
> > Something like
> >
> > secure:/myview.xhtml
> >
> > Then in the navigation handler, see:
> > private final static String SECURE = "secure:";
> > ...
> > if (viewId.startsWith(SECURE))
> > {
> > viewId = viewId.substring(SECURE.length());
> > // see if the HttpServletRequest.isSecure() returns false
> > // if so then:
> > // get the faces external context
> > // build the full URL including "https"
> > // call external context.redirect
> > // call context.responseComplete();
> > }
> > else ...
> >
> > You have to use a redirect one way or another, so it being in a
> > navigation handler just makes it available to all action responses.
> >
> > Also, make sure you remember once you redirect the user, they may lose
> > their session, and they definitely will if you redirect from HTTPS to
> > HTTP. Servlets use a in-memory cookie to store the session ID. Since
> > it is a cookie, it falls under the W3C specification for cookie
> > handling. So for example, if the cookie is marked as secure, it cannot
> > be seen from HTTP.
> >
> > Make sure you are not planning on authenticating them under HTTPS, and
> > then redirecting them to HTTP and trying to retain an insecure session
> > ID. If so, impersonation attacks would be a piece of cake against your
> > code.
> >
> >
> > On 5/3/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> > > Andrew,
> > >
> > > Thanks for the tips. I think that method (1) can work for me in
> > some> situations, but not in general. Would you happen to know or
> > have any
> > > examples for the method (2) [custom navigation handler]? I
> > appreciate> your help *very* much!
> > >
> > >
> > > ----- Original Message -----
> > > From: Andrew Robinson <an...@gmail.com>
> > > Date: Wednesday, May 2, 2007 3:50 pm
> > > Subject: Re: Navigation to and from an HTTPS URL
> > > To: MyFaces Discussion <us...@myfaces.apache.org>
> > >
> > > > Two methods:
> > > >
> > > > 1) In your action or actionListener use the external context to
> > > > send a
> > > > redirect or
> > > > 2) Use a custom navigation handler that builds a URL then changes
> > > > the protocol
> > > >
> > > > On 5/2/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> > > > > Does anyone have any tips how you can implement navigating to
> > and> > from> an HTTPS URL from a commandLink or commandButton?
> > > > >
> > > >
> > >
> >
>
Re: Navigation to and from an HTTPS URL
Posted by SO...@austin.rr.com.
Andrew & Bill,
So is it common form to stay in HTTPS once the user estasblishes a
secure connection and authentication? Because if this is the case, then
I don't have to really do anything special for navigation handling. Are
there any downsides to continuing to use HTTPS? I am not sure I could
gaurantee that the user (benign or malicious) wouldn't start from my
HTTPS login URL rather than from the HTTP main page URL.
Thanks again for your valuable input.
----- Original Message -----
From: Andrew Robinson <an...@gmail.com>
Date: Thursday, May 3, 2007 10:22 am
Subject: Re: Navigation to and from an HTTPS URL
To: MyFaces Discussion <us...@myfaces.apache.org>
> For the custom navigation handler, I don't have an example, but you
> could just setup some kind of pattern that you could parse via regex.
> Something like
>
> secure:/myview.xhtml
>
> Then in the navigation handler, see:
> private final static String SECURE = "secure:";
> ...
> if (viewId.startsWith(SECURE))
> {
> viewId = viewId.substring(SECURE.length());
> // see if the HttpServletRequest.isSecure() returns false
> // if so then:
> // get the faces external context
> // build the full URL including "https"
> // call external context.redirect
> // call context.responseComplete();
> }
> else ...
>
> You have to use a redirect one way or another, so it being in a
> navigation handler just makes it available to all action responses.
>
> Also, make sure you remember once you redirect the user, they may lose
> their session, and they definitely will if you redirect from HTTPS to
> HTTP. Servlets use a in-memory cookie to store the session ID. Since
> it is a cookie, it falls under the W3C specification for cookie
> handling. So for example, if the cookie is marked as secure, it cannot
> be seen from HTTP.
>
> Make sure you are not planning on authenticating them under HTTPS, and
> then redirecting them to HTTP and trying to retain an insecure session
> ID. If so, impersonation attacks would be a piece of cake against your
> code.
>
>
> On 5/3/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> > Andrew,
> >
> > Thanks for the tips. I think that method (1) can work for me in
> some> situations, but not in general. Would you happen to know or
> have any
> > examples for the method (2) [custom navigation handler]? I
> appreciate> your help *very* much!
> >
> >
> > ----- Original Message -----
> > From: Andrew Robinson <an...@gmail.com>
> > Date: Wednesday, May 2, 2007 3:50 pm
> > Subject: Re: Navigation to and from an HTTPS URL
> > To: MyFaces Discussion <us...@myfaces.apache.org>
> >
> > > Two methods:
> > >
> > > 1) In your action or actionListener use the external context to
> > > send a
> > > redirect or
> > > 2) Use a custom navigation handler that builds a URL then changes
> > > the protocol
> > >
> > > On 5/2/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> > > > Does anyone have any tips how you can implement navigating to
> and> > from> an HTTPS URL from a commandLink or commandButton?
> > > >
> > >
> >
>
Re: Navigation to and from an HTTPS URL
Posted by Andrew Robinson <an...@gmail.com>.
For the custom navigation handler, I don't have an example, but you
could just setup some kind of pattern that you could parse via regex.
Something like
secure:/myview.xhtml
Then in the navigation handler, see:
private final static String SECURE = "secure:";
...
if (viewId.startsWith(SECURE))
{
viewId = viewId.substring(SECURE.length());
// see if the HttpServletRequest.isSecure() returns false
// if so then:
// get the faces external context
// build the full URL including "https"
// call external context.redirect
// call context.responseComplete();
}
else ...
You have to use a redirect one way or another, so it being in a
navigation handler just makes it available to all action responses.
Also, make sure you remember once you redirect the user, they may lose
their session, and they definitely will if you redirect from HTTPS to
HTTP. Servlets use a in-memory cookie to store the session ID. Since
it is a cookie, it falls under the W3C specification for cookie
handling. So for example, if the cookie is marked as secure, it cannot
be seen from HTTP.
Make sure you are not planning on authenticating them under HTTPS, and
then redirecting them to HTTP and trying to retain an insecure session
ID. If so, impersonation attacks would be a piece of cake against your
code.
On 5/3/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> Andrew,
>
> Thanks for the tips. I think that method (1) can work for me in some
> situations, but not in general. Would you happen to know or have any
> examples for the method (2) [custom navigation handler]? I appreciate
> your help *very* much!
>
>
> ----- Original Message -----
> From: Andrew Robinson <an...@gmail.com>
> Date: Wednesday, May 2, 2007 3:50 pm
> Subject: Re: Navigation to and from an HTTPS URL
> To: MyFaces Discussion <us...@myfaces.apache.org>
>
> > Two methods:
> >
> > 1) In your action or actionListener use the external context to
> > send a
> > redirect or
> > 2) Use a custom navigation handler that builds a URL then changes
> > the protocol
> >
> > On 5/2/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> > > Does anyone have any tips how you can implement navigating to and
> > from> an HTTPS URL from a commandLink or commandButton?
> > >
> >
>
Re: Navigation to and from an HTTPS URL
Posted by SO...@austin.rr.com.
Andrew,
Thanks for the tips. I think that method (1) can work for me in some
situations, but not in general. Would you happen to know or have any
examples for the method (2) [custom navigation handler]? I appreciate
your help *very* much!
----- Original Message -----
From: Andrew Robinson <an...@gmail.com>
Date: Wednesday, May 2, 2007 3:50 pm
Subject: Re: Navigation to and from an HTTPS URL
To: MyFaces Discussion <us...@myfaces.apache.org>
> Two methods:
>
> 1) In your action or actionListener use the external context to
> send a
> redirect or
> 2) Use a custom navigation handler that builds a URL then changes
> the protocol
>
> On 5/2/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> > Does anyone have any tips how you can implement navigating to and
> from> an HTTPS URL from a commandLink or commandButton?
> >
>
Re: Navigation to and from an HTTPS URL
Posted by Andrew Robinson <an...@gmail.com>.
Two methods:
1) In your action or actionListener use the external context to send a
redirect or
2) Use a custom navigation handler that builds a URL then changes the protocol
On 5/2/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> Does anyone have any tips how you can implement navigating to and from
> an HTTPS URL from a commandLink or commandButton?
>