4 Replies Latest reply on Mar 31, 2013 9:17 PM by ybxiang.china

    How to switch from HTTPS to HTTP?

    ybxiang.china

      Dear guys,

       

                I have many pages in my WAR application.

                I hope ONLY special pages are transported with HTTPS, and other pages(for example index.xhtml) are transported with HTTP.

                However, every time someone leaves an HTTPS page, they stay in HTTPS mode for insecure pages, which is a big speed loss.

       

                Must I hardcode it?

       

                Please post an example web.xml solving this problem.

                Thank you VERY much!

       

       

       

      My web.xml:

       

      <?xml version="1.0" encoding="UTF-8"?>

      <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

          ...

          <!-- 1. Public Resources -->

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>Public resources - Logged in User</web-resource-name>

                  <description>Public resources - Logged in User</description>

                  <url-pattern>/faces/createtopic.xhtml</url-pattern>

                  <url-pattern>/faces/updatetopic.xhtml</url-pattern>

                  <url-pattern>/faces/updatepost.xhtml</url-pattern>

                  <url-pattern>/faces/upload.jsp</url-pattern>

                  <url-pattern>/logoutServlet</url-pattern>

                  <url-pattern>/uploadServlet</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>*</role-name>

              </auth-constraint>

              <user-data-constraint>

                  <transport-guarantee>NONE</transport-guarantee>

              </user-data-constraint>

          </security-constraint>

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>Public resources - guest</web-resource-name>

                  <description>Public resources - guest</description>

                  <url-pattern>/faces/activate.xhtml</url-pattern>

                  <url-pattern>/faces/activate-success.xhtml</url-pattern>

                  <url-pattern>/faces/display.xhtml</url-pattern>

                  <url-pattern>/faces/index.xhtml</url-pattern>

                  <url-pattern>/faces/list.xhtml</url-pattern>

                  <url-pattern>/faces/register-success.xhtml</url-pattern>

                  <url-pattern>/faces/search.xhtml</url-pattern>

              </web-resource-collection>

              <user-data-constraint>

                  <transport-guarantee>NONE</transport-guarantee>

              </user-data-constraint>

          </security-constraint>

          <!-- 2. CONFIDENTIAL resources -->

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>CONFIDENTIAL resources - logged in user</web-resource-name>

                  <description>CONFIDENTIAL resources - logged in user</description>

                  <url-pattern>/faces/login-https.xhtml</url-pattern>

                  <url-pattern>/faces/login-form.xhtml</url-pattern>

                  <url-pattern>/faces/console.xhtml</url-pattern>

                  <url-pattern>/faces/system/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>*</role-name>

              </auth-constraint>

              <user-data-constraint>

                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>

              </user-data-constraint>

          </security-constraint>

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>CONFIDENTIAL resources - guest</web-resource-name>

                  <description>CONFIDENTIAL resources - guest</description>

                  <url-pattern>/faces/register.xhtml</url-pattern>

              </web-resource-collection>

              <user-data-constraint>

                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>

              </user-data-constraint>

          </security-constraint>

       

       

          <security-role>

              <role-name>*</role-name>

          </security-role>

          <login-config>

              <auth-method>FORM</auth-method>

              <form-login-config>

                  <form-login-page>/faces/login-form.xhtml</form-login-page>

                  <form-error-page>/faces/login-fail.xhtml</form-error-page>

              </form-login-config>

          </login-config>

       

      </web-app>

        • 1. Re: How to switch from HTTPS to HTTP?
          jaikiran

          xiang yingbing wrote:

           

                    I hope ONLY special pages are transported with HTTPS, and other pages(for example index.xhtml) are transported with HTTP.

          What's the exact URL for that resource which you expect to be served via HTTP?

           

           

          xiang yingbing wrote:

           

                    

          they stay in HTTPS mode for insecure pages, which is a big speed loss.

          Are you sure? Based on what I have seen it's a myth that using HTTPS leads to a noticeable speed loss. Have you done any measurements to compare the speed differences?

          • 2. Re: How to switch from HTTPS to HTTP?
            ybxiang.china

            What's the exact URL for that resource which you expect to be served via HTTP?

            ~~~[xiang] only 3 pages:

            register.xhtml, login.xhtml and console.xhtml

             

            Are you sure? Based on what I have seen it's a myth that using HTTPS leads to a noticeable speed loss. Have you done any measurements to compare the speed differences?

            [xiang]: yes, I am sure. I had tested EJB+SSL and posted the result here long long ago:

                     https://community.jboss.org/thread/205802?start=0&tstart=0

             

             

             

            Now, I post the result here again.

             

             

             

             

            1. remote test environment

            server: 135.251.246.160

            ejb client: 135.251.27.26

            Data: 100B * 10000

             

             

            Server Info:

            ------------------------------------------------------------------------------------------------------------

            -bash-3.2$ uname -a        

            Linux ASBAMS04 2.6.18-194.el5 #1 SMP Tue Mar 16 21:52:39 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux

            -bash-3.2$

             

            ------------------------------------------------------

            cat /proc/cpuinfo

            rocessor       : 0

            vendor_id       : GenuineIntel

            cpu family      : 6

            model           : 47

            model name      :        Intel(R) Xeon(R) CPU E7- 4807  @ 1.87GHz

            stepping        : 2

            cpu MHz         : 1864.696

            cache size      : 18432 KB

            physical id     : 0

            siblings        : 12

            core id         : 0

            cpu cores       : 6

            apicid          : 0

            fpu             : yes

            fpu_exception   : yes

            cpuid level     : 11

            wp              : yes

            flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss

            ht tm syscall nx pdpe1gb rdtscp lm constant_tsc nonstop_tsc arat pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 sse4_

            2 popcnt lahf_lm

            bogomips        : 3729.39

            clflush size    : 64

            cache_alignment : 64

            address sizes   : 44 bits physical, 48 bits virtual

            power management: [8]

             

            processor       : 1

            vendor_id       : GenuineIntel

            cpu family      : 6

            model           : 47

            model name      :        Intel(R) Xeon(R) CPU E7- 4807  @ 1.87GHz

            stepping        : 2

            cpu MHz         : 1864.696

            cache size      : 18432 KB

            ...

             

            ------------------------------------------------------

            -bash-3.2$ top

             

            top - 10:38:36 up 51 days,  1:34, 37 users,  load average: 0.61, 0.90, 1.03

            Tasks: 963 total,   3 running, 958 sleeping,   1 stopped,   1 zombie

            Cpu(s):  1.2%us,  0.2%sy,  0.0%ni, 98.6%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st

            Mem:  132086452k total, 131123844k used,   962608k free, 22183984k buffers

            Swap: 134119416k total,      284k used, 134119132k free, 58817856k cached

             

             

            1.1. performance without SSL setting

             

            *********************

            Time interval1: 19828

            Time interval2: 21250

            *********************

            Time interval1: 21000

            Time interval2: 19609

            *********************

            Time interval1: 21719

            Time interval2: 20484

            *********************

            Time interval1: 21563

            Time interval2: 20515

            *********************

            Time interval1: 21031

            Time interval2: 19813

            *********************

            Time interval1: 21547

            Time interval2: 20937

            *********************

            Time interval1: 21234

            Time interval2: 26360

             

             

            1.2. performance with SSL setting

             

            *********************

            Time interval1: 33859

            Time interval2: 25594

            *********************

            Time interval1: 25344

            Time interval2: 24735

            *********************

            Time interval1: 21688

            Time interval2: 18422

            *********************

            Time interval1: 26422

            Time interval2: 24578

            *********************

            Time interval1: 23172

            Time interval2: 22812

            *********************

            Time interval1: 24125

            Time interval2: 22985

            *********************

            Time interval1: 23031

            Time interval2: 22047

            *********************

            Time interval1: 21813

            Time interval2: 22609

            *********************

            Time interval1: 22219

            Time interval2: 22515

            *********************

            Time interval1: 24641

            Time interval2: 23781

            *********************

            Time interval1: 22906

            Time interval2: 24750

             

             

             

            2. local test environment

            server: 192.168.1.100

            ejb client: 192.168.1.100

            Data: 100B * 10000

             

             

            2.1. performance without SSL setting

            Time interval1: 6250

            Time interval2: 6110

             

            Time interval1: 7266

            Time interval2: 6219

             

            Time interval1: 6641

            Time interval2: 5593

             

            Time interval1: 6109

            Time interval2: 5485

             

            Time interval1: 6844

            Time interval2: 5875

             

            Time interval1: 6765

            Time interval2: 6719

             

            Time interval1: 6844

            Time interval2: 6750

             

            Time interval1: 6390

            Time interval2: 7328

             

            Time interval1: 6281

            Time interval2: 6625

             

             

             

             

            2.2. performance with SSL setting

            Time interval1: 10000

            Time interval2: 8500

             

            Time interval1: 10266

            Time interval2: 9515

             

            Time interval1: 10016

            Time interval2: 9406

             

             

            Time interval1: 10485

            Time interval2: 9828

             

            Time interval1: 10438

            Time interval2: 9687

             

            Time interval1: 10219

            Time interval2: 10235

             

            Time interval1: 10641

            Time interval2: 9766

             

            Time interval1: 10172

            Time interval2: 10657

             

            Time interval1: 9422

            Time interval2: 9875

             

            Time interval1: 9656

            Time interval2: 9235

             

            Time interval1: 9047

            Time interval2: 9485

             

            Time interval1: 9985

            Time interval2: 8906

             

             

            From above test result, We can see that there is at least 5% performance lost.

            • 3. Re: How to switch from HTTPS to HTTP?
              sfcoy

              How does the user "leave" the secure page?

               

              Do they click on a link on the page? If so, is that link a relative URL? If that is the case then there is nothing any server can do about it because the URL is generated by the browser.

               

              But really, if you're concerned about 5% performance loss caused by SSL then you should considering a hardware SSL solution.

              1 of 1 people found this helpful
              • 4. Re: How to switch from HTTPS to HTTP?
                ybxiang.china

                How does the user "leave" the secure page?

                ~~~[xiang]: Tomcat can switch from HTTP to HTTPS automatically when I visit register.xhtml, login.xhtml because I configured <transport-guarantee>CONFIDENTIAL</transport-guarantee> in web.xml for them.  I hope after the login/registering, Tomcat can switch from HTTPS to HTTP automatically too if the next page that I will visit is NOT configured as "CONFIDENTIAL" in web.xml.

                 

                       I studied many website(www.taobao.com, www.360buy.com and www.newegg.com), I think they do so through hardcoding.

                       For example, If I login newegg.com, I was redirected to https://secure.newegg.com/NewMyAccount/AccountLogin.aspx?nextpage=http://www.newegg.com/

                       I am sure the redirection is done through hardcoding.

                       I think I should borrow this idea: after Login, I can run this code line:

                            response.sendRedirect(nextpage); in servlet

                            or configure navigation-rule

                <navigation-rule>
                    <from-view-id>/login.xhtml</from-view-id>
                    <navigation-case>
                       

                <from-action>#{loginMBean.login}</from-action>

                <from-outcome>SUCCESS</from-outcome>

                        <to-view-id>#{loginMBean.nextpage}</to-view-id>
                        <redirect />
                    </navigation-case>
                </navigation-rule>

                            in faces-configure.xml

                 

                 

                 

                Do they click on a link on the page? If so, is that link a relative URL?  If that is the case then there is nothing any server can do about it because the URL is generated by the browser.

                ~~~This is another case I must fix.

                 

                But really, if you're concerned about 5% performance loss caused by SSL then you should considering a hardware SSL solution.

                ~~~This is a good idea. I will try it later.

                 

                 

                Stephen, thank you VERY much.

                 

                Let me summarize it:

                (a) I can NOT expect tomcate switch from HTTPS(CONFIDENTIAL) to HTTP(NONE) automatically through web.xml. The solution can be: hardcoding something about nextpage.

                (b) I can consider a hardware SSL solution if the traffic of my forum is high enough.