You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bello Martinez Sergio <se...@televes.es> on 2007/03/19 09:32:25 UTC
Http to https and viceversa without session losing
Hi all,
I'm working with the next scenario: I have a web application running
under apache-mod_jk-tomcat. I access this application through https, but
I have an applet into a page, this applet access the server periodically
to get data through http (I can´t use https at this point, it´s a
requirement). When I click a link into the web application to get
another page (using https) I stated that I've lost the session data,
because of applet acceses through http. Do anybody know a workaround to
this problem? Is there any way to keep session data changing
browser-server communications from http to https and viceversa?
Thanks in advance
Sergio
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Http to https and viceversa without session losing
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
you'd be walking in a security hazard, but you could probably set the
cookie to secure even though it is running in http.
in org.apache.catalina.connector.Request.java, the cookie is set,
as you can see, last few lines, that the cookie is only set to secure if
the request is considered secure.
protected void configureSessionCookie(Cookie cookie) {
cookie.setMaxAge(-1);
String contextPath = null;
if (!connector.getEmptySessionPath() && (getContext() != null)) {
contextPath = getContext().getEncodedPath();
}
if ((contextPath != null) && (contextPath.length() > 0)) {
cookie.setPath(contextPath);
} else {
cookie.setPath("/");
}
if (isSecure()) {
cookie.setSecure(true);
}
}
please note, this is the recommended behavior, if you are tampering with
it, then you could have potential problems on your hand.
Filip
Bello Martinez Sergio wrote:
> Hi all,
> I'm working with the next scenario: I have a web application running
> under apache-mod_jk-tomcat. I access this application through https,
> but I have an applet into a page, this applet access the server
> periodically to get data through http (I can´t use https at this
> point, it´s a requirement). When I click a link into the web
> application to get another page (using https) I stated that I've lost
> the session data, because of applet acceses through http. Do anybody
> know a workaround to this problem? Is there any way to keep session
> data changing browser-server communications from http to https and
> viceversa?
> Thanks in advance
>
> Sergio
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Http to https and viceversa without session losing
Posted by Gregor Schneider <rc...@googlemail.com>.
It's not enough to just simply change HttpURLConnection to
HttpsURLConnection, there are a few more actions required.
Have a look at this (it definately works), maybe you'll get the idea
what is going wrong on your side:
http://java.sun.com/developer/technicalArticles/Security/secureinternet2/
Cheers
Greg
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Http to https and viceversa without session losing
Posted by Bello Martinez Sergio <se...@televes.es>.
If I get a HttpsURLConnection like you've said, and then get an
InputStream as connection.getInputStream(), I can't read anything from
that stream, and metthod InputStream.available() returns 0. All this is
true if you use a 'https' url, not a 'http' one.
You can try it one day when you have enough time.
Thanks a lot for your help.
Sergio
Gregor Schneider escribió:
> I don't see why you shouldn't be able to use the class java.net.URL
> with HTTPS, actually, it should work:
>
> Url url = new URL("https//www.yourweb.com");
> HttpsURLConnection connection = (HttpsURLConnection)
> url.openConnection();
>
> However, never have tried it myself since personally I believe that
> Applets are an outdated technology, but that' s a different story.
>
> Anyways, have a look at this article, maybe it gives you a starting
> point:
>
> http://www.jguru.com/faq/view.jsp?EID=24672
>
> Please also have a look at the comments to the article.
>
> HTH
>
> Greg
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Http to https and viceversa without session losing
Posted by Gregor Schneider <rc...@googlemail.com>.
I don't see why you shouldn't be able to use the class java.net.URL
with HTTPS, actually, it should work:
Url url = new URL("https//www.yourweb.com");
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
However, never have tried it myself since personally I believe that
Applets are an outdated technology, but that' s a different story.
Anyways, have a look at this article, maybe it gives you a starting point:
http://www.jguru.com/faq/view.jsp?EID=24672
Please also have a look at the comments to the article.
HTH
Greg
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Http to https and viceversa without session losing
Posted by Bello Martinez Sergio <se...@televes.es>.
Ok. I can't use https from applet because I've realized that you can't
use methods like url.openConnection() nor url.openStream() if url is
'https' like.
This applet has to get images from server. You'll ask why I don´t use
getImage() or Toolkit.getImage(), the answer is that we don't work with
images, but with _encripted_ images (and it's a requirement not to
decrypt those images in the server), so we have to treat them as arrays
of bytes. So, as far as I know, I have to use url.openStream() or
url.openConnection().getInputStream() to get the blob of bytes with
encrypted images from the applet (with http, nor https) and then decrypt
and show them. But after that, I can't go back to other application's
page using https, because I'll have lost session data (user
authentication data, for example).
Hope my problem is better explained now, have you any idea or something
to correct?
Thanks,
Sergio
Gregor Schneider escribió:
> afaik there is no way to do that since this would break the
> security-concepts of https.
>
> you might be able to store the data needed in a dbms or a flat file,
> however, that's a very poor design-concept, imho.
>
> maybe you'd like to let us know why that requirement is?
>
> cheers
>
> greg
>
Re: Http to https and viceversa without session losing
Posted by Gregor Schneider <rc...@googlemail.com>.
afaik there is no way to do that since this would break the
security-concepts of https.
you might be able to store the data needed in a dbms or a flat file,
however, that's a very poor design-concept, imho.
maybe you'd like to let us know why that requirement is?
cheers
greg
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org