leaving https

[Steven Gollery <sg...@cadrc.calpoly.edu>]

I'm using the sandbox s:form component to send login information over https.
This works fine. Now the problem is: I don't want to run the whole site in
https after users login, so I'd like to switch back somehow for the next
page. Any way to do that?


-- 
View this message in context: http://www.nabble.com/leaving-https-tf2570694.html#a7166089
Sent from the MyFaces - Users mailing list archive at Nabble.com.

Re: leaving https

[Simon Kitching <si...@rhe.co.nz>]

Steven Gollery wrote:
> One question left: where to put the code that does the redirect? At first I
> put it in the method that processes clicks on the "logout" button, but of
> course that threw an IllegalStateException.

I don't initially see why that would throw an exception.

The action method associated with the button (h:commandButton) or link 
or whatever will run during the Application phase (for non-immediate 
components) or the ApplyRequestValues phase (for immediate components). 
In either case, the response has not yet been started so sending an http 
redirect here seems both valid and appropriate to me.

What error do you get?

Regards,

Simon

Re: leaving https

[Steven Gollery <sg...@cadrc.calpoly.edu>]

One question left: where to put the code that does the redirect? At first I
put it in the method that processes clicks on the "logout" button, but of
course that threw an IllegalStateException.

So I thought I'd put it in the beforePhase method of a PhaseListener
listening for PhaseId.RENDER_RESPONSE events. That resulted in an exception
I don't understand: 

java.lang.NullPointerException
	at
javax.faces.webapp.UIComponentTag.setupResponseWriter(UIComponentTag.java:929)


And Tomcat prints out:

SEVERE: Faces context not found. getResponseWriter will fail. Check if the
Faces Servlet has been initialized at all in your web.xml. 

So it looks as if redirecting at that point completely loses the
FacesContext.

So where (and when) would ExternalContext.redirect actually work?

And doesn't this seem like a lot of trouble to go through to do something
that would be trivial using any other web application development framework?
Or even no framework at all?

Steven Gollery




Simon Kitching-3 wrote:
> 
> Well, you can use a managed bean property to define the url to redirect 
> to. Agreed it's not as nice as having it with the rest of the navigation 
> rules, but at least it's not hard-coded.
> 
> Steven Gollery wrote:
>> Yes, that should work. Of course it also hardwires the page navigation
>> into
>> the source code, but I guess I'll have to live with that.
>>
>> Thanks,
>>
>> Steven Gollery
>>
>>
>> Simon Kitching-3 wrote:
>>   
>>> Hi Steven,
>>>
>>> I believe you can bypass navigation rules by doing this in an action
>>> method:
>>>   facesContext.getExternalContext.().redirect(url);
>>>     
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/leaving-https-tf2570694.html#a7250379
Sent from the MyFaces - Users mailing list archive at Nabble.com.

Re: leaving https

[Simon Kitching <si...@rhe.co.nz>]

Well, you can use a managed bean property to define the url to redirect 
to. Agreed it's not as nice as having it with the rest of the navigation 
rules, but at least it's not hard-coded.

Steven Gollery wrote:
> Yes, that should work. Of course it also hardwires the page navigation into
> the source code, but I guess I'll have to live with that.
>
> Thanks,
>
> Steven Gollery
>
>
> Simon Kitching-3 wrote:
>   
>> Hi Steven,
>>
>> I believe you can bypass navigation rules by doing this in an action
>> method:
>>   facesContext.getExternalContext.().redirect(url);
>>     

Re: leaving https

[Steven Gollery <sg...@cadrc.calpoly.edu>]

Yes, that should work. Of course it also hardwires the page navigation into
the source code, but I guess I'll have to live with that.

Thanks,

Steven Gollery


Simon Kitching-3 wrote:
> 
> Hi Steven,
> 
> I believe you can bypass navigation rules by doing this in an action
> method:
>   facesContext.getExternalContext.().redirect(url);
> 
> As thr documentation for this method states, this calls
>   facesContext.responseComplete();
> which will prevent later stuff like navigation rules from processing.
> 
> Regards,
> 
> Simon
> 
> Steven Gollery wrote:
>> "...send a redirect to the current page, replacing https with http...."
>>
>> Exactly what I don't see how to do. Is there some way to set the protocol
>> in
>> a navigation-rule? Or is there another way to do a redirect in JSF?
>>
>> Steven Gollery
>>
>>
>>
>> Andrew Robinson-5 wrote:
>>   
>>> If you don't care about remembering the user, then just use the
>>> sandbox form control. It allows you to set the protocol for a form
>>> post. Otherwise, if you are already on the server, send a redirect to
>>> the current page, replacing https with http.
>>>
>>> On 11/8/06, Steven Gollery <sg...@cadrc.calpoly.edu> wrote:
>>>     
> 
-- 
View this message in context: http://www.nabble.com/leaving-https-tf2570694.html#a7246920
Sent from the MyFaces - Users mailing list archive at Nabble.com.

Re: leaving https

[Simon Kitching <si...@rhe.co.nz>]

Hi Steven,

I believe you can bypass navigation rules by doing this in an action method:
  facesContext.getExternalContext.().redirect(url);

As thr documentation for this method states, this calls
  facesContext.responseComplete();
which will prevent later stuff like navigation rules from processing.

Regards,

Simon

Steven Gollery wrote:
> "...send a redirect to the current page, replacing https with http...."
>
> Exactly what I don't see how to do. Is there some way to set the protocol in
> a navigation-rule? Or is there another way to do a redirect in JSF?
>
> Steven Gollery
>
>
>
> Andrew Robinson-5 wrote:
>   
>> If you don't care about remembering the user, then just use the
>> sandbox form control. It allows you to set the protocol for a form
>> post. Otherwise, if you are already on the server, send a redirect to
>> the current page, replacing https with http.
>>
>> On 11/8/06, Steven Gollery <sg...@cadrc.calpoly.edu> wrote:
>>     
>>> Okay -- let me expand the use case a bit.
>>>
>>> The site has two parts, one public and one private. A user logs in, does
>>> whatever he needs to do in the secure area, and then logs out. At that
>>> point, I would like to go back to using http instead of https.
>>>
>>> But I can't find the way to do this. Changing the cookie from secure=true
>>> to
>>> secure=false doesn't switch from https to http. Neither does setting the
>>> cookie's maxAge to 0.
>>>
>>> As far as I can see, once a JSF site is using https, there's no way to
>>> switch back to http, even though this is a common requirement for
>>> real-world
>>> sites (example: every online shopping site I've ever seen).
>>>
>>> What am I missing?
>>>
>>> Steven Gollery
>>>
>>>
>>>
>>> Andrew Robinson-5 wrote:
>>>       
>>>> No there isn't a safe way to do this, especially if you are using
>>>> 401/HTTP authentication. The cookie that stores the servlet session ID
>>>> is marked as secure and therefore cannot be viewed outside of HTTPS.
>>>> Once you leave HTTPS and enter HTTP, a new servlet session will be
>>>> started and you will not have access to any of your HTTPS information.
>>>>
>>>> If you forced the HTTPS cookie into not-secure mode, you now open your
>>>> application to impersonation attacks. Anyone could easily snag that
>>>> cookie definition from the HTTP request headers and impersonate that
>>>> user, bypassing login. The one way to have a secure application is to
>>>> stay in HTTPS.
>>>>
>>>> If you aren't worried about impersonation attacks and don't care much
>>>> about user's security, just set the cookie's secure flag to false.
>>>>
>>>>
>>>> On 11/3/06, Steven Gollery <sg...@cadrc.calpoly.edu> wrote:
>>>>         
>>>>> I'm using the sandbox s:form component to send login information over
>>>>> https.
>>>>> This works fine. Now the problem is: I don't want to run the whole
>>>>>           
>>> site
>>>       
>>>>> in
>>>>> https after users login, so I'd like to switch back somehow for the
>>>>>           
>>> next
>>>       
>>>>> page. Any way to do that?
>>>>>
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/leaving-https-tf2570694.html#a7166089
>>>>> Sent from the MyFaces - Users mailing list archive at Nabble.com.
>>>>>
>>>>>
>>>>>           
>>>>         
>>> --
>>> View this message in context:
>>> http://www.nabble.com/leaving-https-tf2570694.html#a7241966
>>> Sent from the MyFaces - Users mailing list archive at Nabble.com.
>>>
>>>
>>>       
>>     
>
>   

Re: leaving https

[Steven Gollery <sg...@cadrc.calpoly.edu>]

"...send a redirect to the current page, replacing https with http...."

Exactly what I don't see how to do. Is there some way to set the protocol in
a navigation-rule? Or is there another way to do a redirect in JSF?

Steven Gollery



Andrew Robinson-5 wrote:
> 
> If you don't care about remembering the user, then just use the
> sandbox form control. It allows you to set the protocol for a form
> post. Otherwise, if you are already on the server, send a redirect to
> the current page, replacing https with http.
> 
> On 11/8/06, Steven Gollery <sg...@cadrc.calpoly.edu> wrote:
>>
>> Okay -- let me expand the use case a bit.
>>
>> The site has two parts, one public and one private. A user logs in, does
>> whatever he needs to do in the secure area, and then logs out. At that
>> point, I would like to go back to using http instead of https.
>>
>> But I can't find the way to do this. Changing the cookie from secure=true
>> to
>> secure=false doesn't switch from https to http. Neither does setting the
>> cookie's maxAge to 0.
>>
>> As far as I can see, once a JSF site is using https, there's no way to
>> switch back to http, even though this is a common requirement for
>> real-world
>> sites (example: every online shopping site I've ever seen).
>>
>> What am I missing?
>>
>> Steven Gollery
>>
>>
>>
>> Andrew Robinson-5 wrote:
>> >
>> > No there isn't a safe way to do this, especially if you are using
>> > 401/HTTP authentication. The cookie that stores the servlet session ID
>> > is marked as secure and therefore cannot be viewed outside of HTTPS.
>> > Once you leave HTTPS and enter HTTP, a new servlet session will be
>> > started and you will not have access to any of your HTTPS information.
>> >
>> > If you forced the HTTPS cookie into not-secure mode, you now open your
>> > application to impersonation attacks. Anyone could easily snag that
>> > cookie definition from the HTTP request headers and impersonate that
>> > user, bypassing login. The one way to have a secure application is to
>> > stay in HTTPS.
>> >
>> > If you aren't worried about impersonation attacks and don't care much
>> > about user's security, just set the cookie's secure flag to false.
>> >
>> >
>> > On 11/3/06, Steven Gollery <sg...@cadrc.calpoly.edu> wrote:
>> >>
>> >> I'm using the sandbox s:form component to send login information over
>> >> https.
>> >> This works fine. Now the problem is: I don't want to run the whole
>> site
>> >> in
>> >> https after users login, so I'd like to switch back somehow for the
>> next
>> >> page. Any way to do that?
>> >>
>> >>
>> >> --
>> >> View this message in context:
>> >> http://www.nabble.com/leaving-https-tf2570694.html#a7166089
>> >> Sent from the MyFaces - Users mailing list archive at Nabble.com.
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/leaving-https-tf2570694.html#a7241966
>> Sent from the MyFaces - Users mailing list archive at Nabble.com.
>>
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/leaving-https-tf2570694.html#a7245500
Sent from the MyFaces - Users mailing list archive at Nabble.com.

Re: leaving https

[Andrew Robinson <an...@gmail.com>]

If you don't care about remembering the user, then just use the
sandbox form control. It allows you to set the protocol for a form
post. Otherwise, if you are already on the server, send a redirect to
the current page, replacing https with http.

On 11/8/06, Steven Gollery <sg...@cadrc.calpoly.edu> wrote:
>
> Okay -- let me expand the use case a bit.
>
> The site has two parts, one public and one private. A user logs in, does
> whatever he needs to do in the secure area, and then logs out. At that
> point, I would like to go back to using http instead of https.
>
> But I can't find the way to do this. Changing the cookie from secure=true to
> secure=false doesn't switch from https to http. Neither does setting the
> cookie's maxAge to 0.
>
> As far as I can see, once a JSF site is using https, there's no way to
> switch back to http, even though this is a common requirement for real-world
> sites (example: every online shopping site I've ever seen).
>
> What am I missing?
>
> Steven Gollery
>
>
>
> Andrew Robinson-5 wrote:
> >
> > No there isn't a safe way to do this, especially if you are using
> > 401/HTTP authentication. The cookie that stores the servlet session ID
> > is marked as secure and therefore cannot be viewed outside of HTTPS.
> > Once you leave HTTPS and enter HTTP, a new servlet session will be
> > started and you will not have access to any of your HTTPS information.
> >
> > If you forced the HTTPS cookie into not-secure mode, you now open your
> > application to impersonation attacks. Anyone could easily snag that
> > cookie definition from the HTTP request headers and impersonate that
> > user, bypassing login. The one way to have a secure application is to
> > stay in HTTPS.
> >
> > If you aren't worried about impersonation attacks and don't care much
> > about user's security, just set the cookie's secure flag to false.
> >
> >
> > On 11/3/06, Steven Gollery <sg...@cadrc.calpoly.edu> wrote:
> >>
> >> I'm using the sandbox s:form component to send login information over
> >> https.
> >> This works fine. Now the problem is: I don't want to run the whole site
> >> in
> >> https after users login, so I'd like to switch back somehow for the next
> >> page. Any way to do that?
> >>
> >>
> >> --
> >> View this message in context:
> >> http://www.nabble.com/leaving-https-tf2570694.html#a7166089
> >> Sent from the MyFaces - Users mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context: http://www.nabble.com/leaving-https-tf2570694.html#a7241966
> Sent from the MyFaces - Users mailing list archive at Nabble.com.
>
>

Re: leaving https

[Steven Gollery <sg...@cadrc.calpoly.edu>]

Okay -- let me expand the use case a bit.

The site has two parts, one public and one private. A user logs in, does
whatever he needs to do in the secure area, and then logs out. At that
point, I would like to go back to using http instead of https. 

But I can't find the way to do this. Changing the cookie from secure=true to
secure=false doesn't switch from https to http. Neither does setting the
cookie's maxAge to 0.

As far as I can see, once a JSF site is using https, there's no way to
switch back to http, even though this is a common requirement for real-world
sites (example: every online shopping site I've ever seen).

What am I missing?

Steven Gollery



Andrew Robinson-5 wrote:
> 
> No there isn't a safe way to do this, especially if you are using
> 401/HTTP authentication. The cookie that stores the servlet session ID
> is marked as secure and therefore cannot be viewed outside of HTTPS.
> Once you leave HTTPS and enter HTTP, a new servlet session will be
> started and you will not have access to any of your HTTPS information.
> 
> If you forced the HTTPS cookie into not-secure mode, you now open your
> application to impersonation attacks. Anyone could easily snag that
> cookie definition from the HTTP request headers and impersonate that
> user, bypassing login. The one way to have a secure application is to
> stay in HTTPS.
> 
> If you aren't worried about impersonation attacks and don't care much
> about user's security, just set the cookie's secure flag to false.
> 
> 
> On 11/3/06, Steven Gollery <sg...@cadrc.calpoly.edu> wrote:
>>
>> I'm using the sandbox s:form component to send login information over
>> https.
>> This works fine. Now the problem is: I don't want to run the whole site
>> in
>> https after users login, so I'd like to switch back somehow for the next
>> page. Any way to do that?
>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/leaving-https-tf2570694.html#a7166089
>> Sent from the MyFaces - Users mailing list archive at Nabble.com.
>>
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/leaving-https-tf2570694.html#a7241966
Sent from the MyFaces - Users mailing list archive at Nabble.com.

Re: leaving https

[Andrew Robinson <an...@gmail.com>]

No there isn't a safe way to do this, especially if you are using
401/HTTP authentication. The cookie that stores the servlet session ID
is marked as secure and therefore cannot be viewed outside of HTTPS.
Once you leave HTTPS and enter HTTP, a new servlet session will be
started and you will not have access to any of your HTTPS information.

If you forced the HTTPS cookie into not-secure mode, you now open your
application to impersonation attacks. Anyone could easily snag that
cookie definition from the HTTP request headers and impersonate that
user, bypassing login. The one way to have a secure application is to
stay in HTTPS.

If you aren't worried about impersonation attacks and don't care much
about user's security, just set the cookie's secure flag to false.


On 11/3/06, Steven Gollery <sg...@cadrc.calpoly.edu> wrote:
>
> I'm using the sandbox s:form component to send login information over https.
> This works fine. Now the problem is: I don't want to run the whole site in
> https after users login, so I'd like to switch back somehow for the next
> page. Any way to do that?
>
>
> --
> View this message in context: http://www.nabble.com/leaving-https-tf2570694.html#a7166089
> Sent from the MyFaces - Users mailing list archive at Nabble.com.
>
>