1 Reply Latest reply on May 30, 2006 10:37 PM by cptnkirk

    SSL issue

    armita

      I enabled my login page to work on ssl using:

       <security-constraint>
       <display-name>SecurityConstraint</display-name>
       <web-resource-collection>
       <web-resource-name>Login</web-resource-name>
       <url-pattern>/home.faces</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
       <user-data-constraint>
       <description>SSL required</description>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      

      this works fine and redirect the login page tu use ssl but unfortunatily site remain in ssl mode after this point and do not return to http after that.

        • 1. Re: SSL issue

          If you're using relative links there will be nothing to cause your transport to change back.

          You can try adding another security-constraint block covering the content you don't want to be secure and set the <transport-guarantee>NONE</transport-guarantee>

          On the other hand, you typically don't want to switch back to non-SSL once you've gone secure, especially if you've initialized your session securely. Most web providers don't regenerate your sessionid when you switch between secure and insecure transports. Sending your sessionid over an insecure transport opens you up to session hijacking attacks.

          Be careful what you wish for. You should probably just leave things the way they are.