You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Lyallex <ly...@gmail.com> on 2007/06/29 18:51:08 UTC
Old Chestnut (http - https) causing some confusion
Hi
Java 1.5.0_10
Tomcat 5.5.17
I've just spent the past couple of hours reading past postings to this list
at marc.info
The subject I'm interested in is the efficient use of ssl/https.
I have managed to get the 'redirection' to https working with the following
entry in web.xml (amongst other config type things)
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The problem, as I'm sure you've guessed by now is that once an account is
logged in
I want the client to be able to browse the site via http, not https.
I know this issue has been around since at least 2004 (this is as far back
as I went)
The Tomcat Docs at http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.htmlstate
<quote>
"... Also, while the SSL protocol was designed to be as efficient as
securely possible,
encryption/decryption is a computationally expensive process from a
performance standpoint.
It is not strictly necessary to run an entire web application over SSL, and
indeed a developer
can pick and choose which pages require a secure connection and which do
not..."
</quote>
Marvelous... thing is I've seen various solutions suggested from fronting
Tomcat with Apache httpd and
using something called modRedirect to writing some sort of filter. Have the
experts come to some sort of conclusion
as to the best way to 'pick and choose which pages require a secure
connection...' given the various security issues that seem to be of concern
etc.
Many thanks for reading this, I'm sure you're all bored to tears by this
subject now.
Rgds
Duncan
Re: Old Chestnut (http - https) causing some confusion
Posted by Lyallex <ly...@gmail.com>.
Hi
Just a short note to say thanks to those that replied to my post
I've spent the past three days trying to figure out the best approach given
all the options available and I have something working. It's doesn't work
quite how I'd like, the main problem being that when I get a
RequestDispatcher in a Servlet and forward to a resource that has a mapping
to a Filter the Filter doesn't fire. I think I understand why (forwarding
passes the request and response to another resource, it's not like making a
request) but it doesn't really help me. Still, like someone said, it's all a
matter of tradeoffs.
Regards
Duncan
On 6/29/07, Lyallex <ly...@gmail.com> wrote:
>
> Hi
>
> Java 1.5.0_10
> Tomcat 5.5.17
>
> I've just spent the past couple of hours reading past postings to this
> list at marc.info
>
> The subject I'm interested in is the efficient use of ssl/https.
> I have managed to get the 'redirection' to https working with the
> following
> entry in web.xml (amongst other config type things)
>
> <security-constraint>
> ...
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> The problem, as I'm sure you've guessed by now is that once an account is
> logged in
> I want the client to be able to browse the site via http, not https.
>
> I know this issue has been around since at least 2004 (this is as far back
> as I went)
>
> The Tomcat Docs at http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.htmlstate
>
> <quote>
>
> "... Also, while the SSL protocol was designed to be as efficient as
> securely possible,
> encryption/decryption is a computationally expensive process from a
> performance standpoint.
> It is not strictly necessary to run an entire web application over SSL,
> and indeed a developer
> can pick and choose which pages require a secure connection and which do
> not..."
>
> </quote>
>
> Marvelous... thing is I've seen various solutions suggested from fronting
> Tomcat with Apache httpd and
> using something called modRedirect to writing some sort of filter. Have
> the experts come to some sort of conclusion
> as to the best way to 'pick and choose which pages require a secure
> connection...' given the various security issues that seem to be of concern
> etc.
>
> Many thanks for reading this, I'm sure you're all bored to tears by this
> subject now.
>
> Rgds
> Duncan
Re: Old Chestnut (http - https) causing some confusion
Posted by Tim Funk <fu...@joedog.org>.
It doesn't hurt
-Tim
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tim,
>
> Tim Funk wrote:
>> <security-constraint> only works to say I want pages to be encrypted.
>> Not the latter.
>
> Oh, of course. I hadn't really thought of that ;)
>
>> The typical complaint is a developer wishes to encrypt the login process
>> and nothing else. <security-constraint> only guarantees that your pages
>> are secure - but does nothing to get you away from ssl.
>
> Would you say it's worth it to use a <security-constraint> +
> CONFIDENTIAL for those pages that are important to be secure (as a
> sanity check)?
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Old Chestnut (http - https) causing some confusion
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim,
Tim Funk wrote:
> <security-constraint> only works to say I want pages to be encrypted.
> Not the latter.
Oh, of course. I hadn't really thought of that ;)
> The typical complaint is a developer wishes to encrypt the login process
> and nothing else. <security-constraint> only guarantees that your pages
> are secure - but does nothing to get you away from ssl.
Would you say it's worth it to use a <security-constraint> +
CONFIDENTIAL for those pages that are important to be secure (as a
sanity check)?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGhVQY9CaO5/Lv0PARAtzDAKCBQEVY3aiyMDbIfQlAfLJ1lSD1ngCfRb59
BxjwCTpQDESIf4cxKXlJ5CE=
=oq6f
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Old Chestnut (http - https) causing some confusion
Posted by Tim Funk <fu...@joedog.org>.
<security-constraint> only works to say I want pages to be encrypted.
Not the latter.
The typical complaint is a developer wishes to encrypt the login process
and nothing else. <security-constraint> only guarantees that your pages
are secure - but does nothing to get you away from ssl.
Of course - the second your session cookie gets transmitted in the clear
- your session can be hijacked - but its all a matter of tradeoffs. In
most cases protecting the password is enough. The people who are nuts
for security cringe at the above.
There have been a few arguments about this in the archives. Before
anyone else jumps in with the opinion - please first rehash the good
times in the archives. ;)
-Tim
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tim,
>
> Tim Funk wrote:
>> What you'll really want is to ditch the transport guarantee clause in
>> web.xml and create a filter which will be smart enough to force/unforce
>> you from SSL.
>
> Why do this when the <security-constraint> already allows you to protect
> only certain URL patterns? It seems to me that maintaining less code in
> your application is a good thing.
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Old Chestnut (http - https) causing some confusion
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim,
Tim Funk wrote:
> What you'll really want is to ditch the transport guarantee clause in
> web.xml and create a filter which will be smart enough to force/unforce
> you from SSL.
Why do this when the <security-constraint> already allows you to protect
only certain URL patterns? It seems to me that maintaining less code in
your application is a good thing.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGhUa89CaO5/Lv0PARAjw5AJ0fHGpgedo24rGajP2FxckHE0BXLgCgpWGf
RX8dEwP4l+a/4xVemr5+ULg=
=qWWc
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Old Chestnut (http - https) causing some confusion
Posted by Tim Funk <fu...@joedog.org>.
What you'll really want is to ditch the transport guarantee clause in
web.xml and create a filter which will be smart enough to force/unforce
you from SSL.
For example:
doFilter(...) {
boolean isSSLRequired = magicYesNo(request);
if (isSSLRequired && !request.isSecure()) {
doSomeRedirectToSSL(...);
return;
} else if (!isSSLRequired && request.isSecure()) {
doSomeRedirectToNotSSL(...);
return;
}
filter.doChain(...);
}
-Tim
Lyallex wrote:
> Hi
>
> Java 1.5.0_10
> Tomcat 5.5.17
>
> I've just spent the past couple of hours reading past postings to this list
> at marc.info
>
> The subject I'm interested in is the efficient use of ssl/https.
> I have managed to get the 'redirection' to https working with the following
> entry in web.xml (amongst other config type things)
>
> <security-constraint>
> ...
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> The problem, as I'm sure you've guessed by now is that once an account is
> logged in
> I want the client to be able to browse the site via http, not https.
>
> I know this issue has been around since at least 2004 (this is as far back
> as I went)
>
> The Tomcat Docs at
> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.htmlstate
>
> <quote>
>
> "... Also, while the SSL protocol was designed to be as efficient as
> securely possible,
> encryption/decryption is a computationally expensive process from a
> performance standpoint.
> It is not strictly necessary to run an entire web application over SSL, and
> indeed a developer
> can pick and choose which pages require a secure connection and which do
> not..."
>
> </quote>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org