You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "HAVENS,PETER (HP-Cupertino,ex3)" <pe...@hp.com> on 2002/09/25 02:16:01 UTC
SSL security contraint for just the login page.
I am using form based authentication on my Tomcat 4.0.4 server and I am
trying to figure out how to set up a security constraint that would apply
only to the login page. My global web.xml has a security constraint that
points to a login.jsp page as the form-login-page. As I understand it, the
global web.xml can only have one security-constraint. What I want to do is
configure this login.jsp page to be served up via HTTPS only. This way
users will not be submitting password as plain text.
I know about using the <user-data-constraint> <transport-guarantee>, but I
do not want to require SSL for all pages, just the login page.
Is this possible?
I have included the security constraint of my web.xml file
Thanks in advance,
-Peter
--------------attached web.xml file-------------------------
<security-constraint>
<display-name>Gryphon Authentication </display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.class</url-pattern>
<url-pattern>*.html</url-pattern>
<url-pattern>*.shtml</url-pattern>
<url-pattern>*.htm</url-pattern>
<url-pattern>*.shtm</url-pattern>
<url-pattern>*.js</url-pattern>
<url-pattern>*.cgi</url-pattern>
<url-pattern>*.php</url-pattern>
<!-- If you list http methods, only those methods are protected
-->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area
-->
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Gryphon Form-Based Authentication</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
Re: SSL security contraint for just the login page.
Posted by Martin Jacobson <ma...@libero.it>.
HAVENS,PETER (HP-Cupertino,ex3) wrote:
> I am using form based authentication on my Tomcat 4.0.4 server and I am
> trying to figure out how to set up a security constraint that would apply
> only to the login page. My global web.xml has a security constraint that
> points to a login.jsp page as the form-login-page. As I understand it, the
> global web.xml can only have one security-constraint. What I want to do is
> configure this login.jsp page to be served up via HTTPS only. This way
> users will not be submitting password as plain text.
>
> I know about using the <user-data-constraint> <transport-guarantee>, but I
> do not want to require SSL for all pages, just the login page.
>
> Is this possible?
>
I don't know whether this is possible - I tried for a while, thinking
like you that it was sufficient to protect the login page, until I Saw
The Light.
If you only protected the login page, then although the user's password
would not be sent in clear, the session id on subsequent pages would be.
Since a hacker only needs the session id to masquerade as your logged-in
user, you MUST encrypt the entire session after login. This is what the
servlet spec mandates, and what Tomcat does.
Martin
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>