You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Snaglefrac <mo...@stjohns.ca> on 2008/11/20 16:26:36 UTC
j_secuity check and https
Hi All,
I want to use j_security check with https on port 8443. I only want to
secure the login pages and not the whole application.
so ..
these pages need to be secured when accessed:
/secure/login.jsp
/secure/loginerr.jsp
everything else is secured by form based quthentication and uses an ldap
realm.
so.. i have set up in my web xml
<security-constraint>
<web-resource-collection>
<web-resource-name> Security</web-resource-name>
<description></description>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>person</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>All users who can login should be able to use this
application</description>
<role-name>person</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/secure/login.jsp</form-login-page>
<form-error-page>/secure/loginerr.jsp</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name> Security</web-resource-name>
<description></description>
<url-pattern>/secure/*</url-pattern>
<url-pattern>/j_security_check</url-pattern>
<url-pattern>/secure/j_security_check</url-pattern>
<url-pattern>/j_security_check</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The problem is when i hit the application where i have form authentication
connection to LDAP, it uses the /secure/login.jsp page, because j_security
check redirects to this page.
but it is not forced at https, because the url pattern doesn't match. So how
can I forced the login.jsp page to be https! I don't want my ldap user
password floating around out there.
--
View this message in context: http://www.nabble.com/j_secuity-check-and-https-tp20603453p20603453.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: j_secuity check and https
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Snaglefrac,
Snaglefrac wrote:
> Now, when someone logs in they are using an unsecured login screen and there
> passwords are sent unencrypted. The solution! HTTPS, no sweat, i have this
> working to. The only problem I have is having the https and LDAP security in
> one application. Additionally i do not want to have every page locked by
> https, only the login screen that get called by the security constraint.
Okay, so you want to use regular HTTP for everything except the login
page. You just have to make sure that the user has a session before they
try to login.
> so when a user hits /gigatronic/index.jsp they are asked top login because
> of the LDAP real copnfig. The pages used for the login I need in HTTPS.
> After a secure login it returns back to a regular http for the
> /gigatronic/index.jsp application.
Actually, you just need to submit to j_security_check using HTTPS.
Everything else can be regular HTTP.
> SO how can I use HTTPS for only the j_secutity login portion I specified in
> web.xml and enforce LDAP real for the rest of my app without have the whole
> app HTTPS.
>
> I tried specifying the HTTPS for my login but the app would not start.
> ex:
> <form-login-config>
> <form-login-page>https://www.blah.com/secure/login.jsp</form-login-page>
> <form-error-page>https://www.blah.com/secure/loginerr.jsp</form-error-page>
> </form-login-config>
> This did not work.
Right. Tomcat doesn't do a redirect (or does for some versions and not
others... I can't keep it straight). What you need to do is this, in
your login.jsp page:
<form action="<%= response.encodeURL(request.getRequestURL().replace(0,
4, "https")).toString()) %>">
This will submit your request to Tomcat using HTTPS. I'm not sure, but I
believe the original request will be to an HTTP URL if the original
request was to a non-secure URL. If not, you can always redirect
subsequent requests using a filter or something like that to go back to
HTTP.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkk0L/sACgkQ9CaO5/Lv0PB3oQCgwlyRwEGRE1EyebCyHt7blqRm
ynEAoL9zEa5YQWtm3yiqX74SoM/jPF4q
=JvFO
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: j_secuity check and https
Posted by Snaglefrac <sn...@gmail.com>.
I have an tomcat application. I want to use LDAP authentication. I have this
working not problem.
When a user hits the site they are asked to login and they use the
j_security method to do so. No problem.
Now, when someone logs in they are using an unsecured login screen and there
passwords are sent unencrypted. The solution! HTTPS, no sweat, i have this
working to. The only problem I have is having the https and LDAP security in
one application. Additionally i do not want to have every page locked by
https, only the login screen that get called by the security constraint.
EX directory structure:
Https Secured pages and directories.
/security/login.jsp
/security/loginerr.jsp
LDAP REalm Secured diretories
/gigatronic/*
/gigatronic/index.jsp
so when a user hits /gigatronic/index.jsp they are asked top login because
of the LDAP real copnfig. The pages used for the login I need in HTTPS.
After a secure login it returns back to a regular http for the
/gigatronic/index.jsp application.
SO how can I use HTTPS for only the j_secutity login portion I specified in
web.xml and enforce LDAP real for the rest of my app without have the whole
app HTTPS.
I tried specifying the HTTPS for my login but the app would not start.
ex:
<form-login-config>
<form-login-page>https://www.blah.com/secure/login.jsp</form-login-page>
<form-error-page>https://www.blah.com/secure/loginerr.jsp</form-error-page>
</form-login-config>
This did not work.
Cheers
--
View this message in context: http://www.nabble.com/j_secuity-check-and-https-tp20603453p20686814.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: j_secuity check and https
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Snaglefrac,
Snaglefrac wrote:
> I want to use j_security check with https on port 8443. I only want to
> secure the login pages and not the whole application.
Then you need to configure your <security-constraint>s appropriately.
> so ..
> these pages need to be secured when accessed:
> /secure/login.jsp
> /secure/loginerr.jsp
>
> everything else is secured by form based quthentication and uses an ldap
> realm.
If "everything else" will be secured by form-based auth, then what
should secure the above two URLs?
Any resource that is protected will be protected using the same
authentication type: you can't use BASIC for one set of URLs and FORM
for another set of URLs in the same webapp.
> <url-pattern>/j_security_check</url-pattern>
> <url-pattern>/secure/j_security_check</url-pattern>
> <url-pattern>/j_security_check</url-pattern>
Note that you can't secure j_security_check: this URL is special and
will be handled by the container whether you list it in your
<security-constraint>s or not.
> The problem is when i hit the application where i have form authentication
> connection to LDAP, it uses the /secure/login.jsp page, because j_security
> check redirects to this page.
You can't change how this works.
> but it is not forced at https, because the url pattern doesn't match. So how
> can I forced the login.jsp page to be https! I don't want my ldap user
> password floating around out there.
Have you tried setting your <form-login-page> to use an HTTPs URL?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkklu3EACgkQ9CaO5/Lv0PBh+QCgwvyFvjzDimyIXaQN3FJwLu3C
Ch8AoJoUl9+Fpz88zwJ6gg5rzg3sVYcv
=s8/t
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org