How to switch from HTTPS to HTTP?
ybxiang.china Mar 28, 2013 10:33 AMDear guys,
I have many pages in my WAR application.
I hope ONLY special pages are transported with HTTPS, and other pages(for example index.xhtml) are transported with HTTP.
However, every time someone leaves an HTTPS page, they stay in HTTPS mode for insecure pages, which is a big speed loss.
Must I hardcode it?
Please post an example web.xml solving this problem.
Thank you VERY much!
My web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
...
<!-- 1. Public Resources -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Public resources - Logged in User</web-resource-name>
<description>Public resources - Logged in User</description>
<url-pattern>/faces/createtopic.xhtml</url-pattern>
<url-pattern>/faces/updatetopic.xhtml</url-pattern>
<url-pattern>/faces/updatepost.xhtml</url-pattern>
<url-pattern>/faces/upload.jsp</url-pattern>
<url-pattern>/logoutServlet</url-pattern>
<url-pattern>/uploadServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public resources - guest</web-resource-name>
<description>Public resources - guest</description>
<url-pattern>/faces/activate.xhtml</url-pattern>
<url-pattern>/faces/activate-success.xhtml</url-pattern>
<url-pattern>/faces/display.xhtml</url-pattern>
<url-pattern>/faces/index.xhtml</url-pattern>
<url-pattern>/faces/list.xhtml</url-pattern>
<url-pattern>/faces/register-success.xhtml</url-pattern>
<url-pattern>/faces/search.xhtml</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- 2. CONFIDENTIAL resources -->
<security-constraint>
<web-resource-collection>
<web-resource-name>CONFIDENTIAL resources - logged in user</web-resource-name>
<description>CONFIDENTIAL resources - logged in user</description>
<url-pattern>/faces/login-https.xhtml</url-pattern>
<url-pattern>/faces/login-form.xhtml</url-pattern>
<url-pattern>/faces/console.xhtml</url-pattern>
<url-pattern>/faces/system/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>CONFIDENTIAL resources - guest</web-resource-name>
<description>CONFIDENTIAL resources - guest</description>
<url-pattern>/faces/register.xhtml</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>*</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/faces/login-form.xhtml</form-login-page>
<form-error-page>/faces/login-fail.xhtml</form-error-page>
</form-login-config>
</login-config>
</web-app>