7 Replies Latest reply on Jun 29, 2006 9:03 AM by Sohil Shah

    Help required in Switching from http to https in  jboss-4.0.

    Bhanuprakash singh Newbie

      Hi all
      Could anybody please tell me how to get http only for the first page and https for all other pages
      for example for login page it should be only http
      and once i login all the other pages should be accesible only through https

      Thanks
      Bhanu

        • 2. Re: Help required in Switching from http to https in  jboss-
          Bhanuprakash singh Newbie

          HI Cgriffith


          The setup of ssl in jboss is successful the problem iam facing is switching
          From http to https without the popping up of authentication dialog

          And also
          I have created sample struts application
          with login page and displays page when I go for submit submit
          but my requirement is
          To switch from http to https
          that is i should be able to access the login page
          with http but when i give submit it should go into secure mode and the next page should be displayed

          As per your instructions i made changes in web.xml file
          to include

          security-constraint>
          <web-resource-collection>
          <web-resource-name>Sample Application</web-resource-name>
          Require users to authenticate
          <url-pattern>*.do</url-pattern>
          <http-method>POST</http-method>
          <http-method>GET</http-method>
          </web-resource-collection>
          <auth-constraint>
          Only allow Authenticated_users role
          <role-name>TEST_ROLE_NAME</role-name>
          </auth-constraint>
          <user-data-constraint>
          Encryption is not required for the application in general.
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
          </security-constraint>
          <security-role>
          <role-name>TEST_ROLE_NAME</role-name>
          </security-role>


          <login-config>

          <auth-method>BASIC</auth-method>
          <realm-name>TEST_REALM_NAME</realm-name>
          </login-config>


          i created users.properties and roles.properties in conf directory to include appropriate parameters

          now when i try to go to http://localhost:8080/Struts4

          i do get the login page but when i go for submit
          i get authenctication dialog asking for username and password for TEST_REALM_NAME
          and when i give the correct parameters authentication happens properly
          and i again go to the first page i.e the login page only differnce now is it the same login page but with https://
          but the what the real requirementa of mine are

          1. when i first open the login page in http://
          and i submit the login credential( jsp page) and give the submit button
          i should go into secure mode and should go to the next page ie it should have https in the url


          2. I should not get any authentication dialog(TEST_REAL_NAME) asking for username and password ,
          directly i should go to the next page when i give
          the submit button .i.e there should not come any authenticaion dialog while switching from http to https

          can u give me any idea regarding this
          appreciate your response in this regard


          Thanks
          BHanu

          • 3. Re: Help required in Switching from http to https in  jboss-
            Bhanuprakash singh Newbie

            Hi Cgriffith,
            I had created a separate thread for this
            I have posted my messages there
            you can find that at

            http://www.jboss.org/index.html?module=bb&op=viewtopic&t=84906

            Appreciate your response

            Thanks
            Bhanu

            • 4. Re: Help required in Switching from http to https in  jboss-
              chris griffith Expert

              Bhanu,

              O.K. so we got SSL going. Good.

              Now, there are some inconsistencies in what you want versus how you have your application configured.

              First, you mention that your application has a login form(i.e. FORM auth method), but your application is set up to use BASIC authentication. You have to choose one.

              Second, currently only struts actions are configured to use SSL. So any requests to a *.jsp, will not use SSL. I do not think this is what you want.

              Hope this helps to clarify, cgriffith

              • 5. Re: Help required in Switching from http to https in  jboss-
                Bhanuprakash singh Newbie

                Hi CGriffith,
                Thanks a lot for your help
                finally i was able to login in to page with http access and when i logged in the communication was in secure mode(https).....
                The mistake which i made was that i had failed to include form-login-config
                <form-login-config>
                <form-login-page>/login.jsp</form-login-page>
                <form-error-page>/error.jsp</form-error-page>
                </form-login-config>
                Once again thank you very much.
                Bye

                Bhanu

                • 6. Re: Help required in Switching from http to https in  jboss-
                  Bhanuprakash singh Newbie

                  Hi Cgrifith
                  Sorry to trouble u once again
                  I have encountered some problem with the login in struts
                  I had made necessary changes to include <transport-guarantee>
                  and login-config to include the user properties
                  but the <form-login-config>
                  <form-login-page>/display.jsp</form-login-page>
                  <form-error-page>/error.jsp</form-error-page>
                  </form-login-config>
                  </login-config>
                  is forcing it to go to the pages which i give in form-login-page
                  instead it should go
                  to NameAction which extends Action and based on the logic there
                  i should go to the required success or error page
                  and iam not understanding the importance if <form-login-config>
                  like if i remove the lines
                  <form-login-config>
                  <form-login-page>/display.jsp</form-login-page>
                  <form-error-page>/error.jsp</form-error-page>
                  </form-login-config>
                  </login-config>

                  i get the exceptions


                  18:59:15,687 WARN [FormAuthenticator] Unexpected error forwarding to login page
                  java.lang.NullPointerException
                  at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:238)
                  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
                  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
                  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
                  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
                  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
                  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
                  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
                  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
                  at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
                  at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
                  at java.lang.Thread.run(Thread.java:595)


                  Could you please help me resolve this

                  Regards
                  Bhanu

                  • 7. Re: Help required in Switching from http to https in  jboss-
                    Sohil Shah Master

                     

                    "cool_bhanu" wrote:

                    <form-login-config>
                    <form-login-page>/display.jsp</form-login-page>
                    <form-error-page>/error.jsp</form-error-page>
                    </form-login-config>
                    </login-config>

                    is forcing it to go to the pages which i give in form-login-page
                    instead it should go
                    to NameAction which extends Action and based on the logic there
                    i should go to the required success or error page


                    You will have to integrate the logic in your NameAction object (which decides whether login is success or failure) into the JAAS LoginModule that is actually processing the Login Usecase now. If you are using one of the standard JAAS Login modules, you will have to use a custom JAAS Login Module to incorporate this logic instead.

                    As far as redirecting to pages of your choosing instead of the pages specified in your form-config goes, you will have to integrate a custom FormAuthenticator that extends the org.apache.catalina.authenticator.FormAuthenticator.

                    "cool_bhanu" wrote:

                    and iam not understanding the importance if <form-login-config>
                    like if i remove the lines
                    <form-login-config>
                    <form-login-page>/display.jsp</form-login-page>
                    <form-error-page>/error.jsp</form-error-page>
                    </form-login-config>
                    </login-config>


                    I believe this information is required by the org.apache.catalina.authenticator.FormAuthenticator and should *not* be left out