4 Replies Latest reply on Aug 16, 2005 7:51 AM by christian cheng

    SSL & js_security_check problem

    Thomas Quas Newbie

      I'm running JBoss 4.0.1SP1 on Linux.

      Scenario: I have two JSPs under <transport-guarantee>CONFIDENTIAL</transport-guarantee>: login.jsp and remember.jsp. The former contains a form which upon submit redirects to the latter:

      form method="POST" action="secure/remember.jsp"
      input type="text" name="j_username"/
      input type="password" name="j_password"/

      Remember.jsp only contains some code to store data in the HTTP session object and immediately redirect to 'j_security_check' with 'j_username' and 'j_password' appended:

      // ...
      String route = "j_security_check?j_username=" +
      URLEncoder.encode( username ) + "&j_password=" +
      URLEncoder.encode( password );
      response.sendRedirect( response.encodeRedirectURL( route ) );

      I have this all working as far as I enter the application, the server redirects me to login.jsp. After submitting the form, the server changes to SSL mode asking me to accept the certificate. I do that, and all of a sudden the server gets stuck on page remember.jsp. The URL in the broswer window shows https://localhost:8443/app/secure/remember.jsp; something it should actually never do.

      Just to make sure, I turned off SSL for the JSPs by commenting out the relevant <security-constraint>, and voila, it works as expected. Instead of being stuck on remember.jsp, the browser enters the requested application page.

      Looks to me like j_security_check does recall a user requested page under HTTP but not under HTTPS!?

      Any help appreciated.