JSP/Servlets and SSL access

[Marcello Maggioni <ma...@gmail.com>]

 Hi.

I'm implementing an Access control system on a Web Application with Tomcat

As of now the login.jsp passes the username and the password to the Servlet
that manages the login in clear text. I would like to add security in the
login process using SSL to encrypt the data.

How can I make the user enter the login.jsp using SSL? Tomcat is already
configured for SSL support (using https://URL/login.jsp works).

I want to use SSL only for the login process (so I would like to connect to
login.jsp via SSL switching from http to https automatically and then revert
to http when done) .

I have two problems in doing this :

1) I don't know how to automatically switch to SSL when login.jsp is
requested. I've tried by setting security-constraint in the web.xml and
somehow works (when login.jsp is selected it automatically switches to SSL),
but then it doesn't turn back to clear HTTP and remain in SSL for the other
pages to.

2) I heard that switching from SSL to non-SSL connection invalidates the
current session. This is a problem, because my login implementation uses the
session to store login details. Do you know solutions to this?

Thanks for your help. I've spent many hours in trying to understand what to
do, but when it comes to SSL the informations are quite confused.

Marcello Maggioni