3 Replies Latest reply on May 8, 2006 3:48 AM by acku

    Switching from HTTPS to HTTP

    acku Newbie

      Right now I am using HTTPS for a secure login by configuring:

       <security-constraint>
       <web-resource-collection>
       <web-resource-name>Login</web-resource-name>
       <url-pattern>/faces/SecureLogin.jsp</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>ROLE_ADMIN</role-name>
       <role-name>ROLE_USER</role-name>
       <role-name>ROLE_MODERATOR</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      


      Along with the settings in server.xml this works fine. The app switches to https protocol and port 8443 (instead of 8080) when you reach that page and allows you to login encrypted.
      But it stays that way, navigation after logging in keeps being secure. I want to revert back to http obviously.
      Marking pages after that with a data cnstraint NONE does not do anything.
      It occurred to me that it's possible to change that by hard-coding a link to HTTP but that's dirty design.

      Any ideas? Thanks.



        • 1. Re: Switching from HTTPS to HTTP
          acku Newbie

          I am using JBoss4.04RC1 btw with bundled Tomcat

          • 2. Re: Switching from HTTPS to HTTP
            Manohar Kaul Newbie

            Hi,
            I am facing the exact same problem, where I am using container-based security and everytime I move from authentication during login to the site which is a HTTPS page to say a normal HTTP page, it kickes me out to the main login page as if I was not authorized to view the HTTP page!!
            From what I have read so far, I think some webservers treat the HTTP and HTTPS to be 2 different domains hence 2 completely different requests to the server. If you have got the solution to this problem can you post it up here too?

            Thanks in advance,
            MK

            • 3. Re: Switching from HTTPS to HTTP
              acku Newbie

              I 'solved' this by redirecting after a login to a HTTP port, instead of keeping on the HTTPS one. This works, the server auth doesnt complain about that (used with j_scecurity_check). But ofcourse it's kind of ugly, having to redirect just to get rid of this.