1 Reply Latest reply on Mar 27, 2009 6:58 AM by Ramón Minarro

    problem with https

    Ramón Minarro Newbie

      Hi. I have a problem with https, I will describe the environment


      mi web.xml contains

      <security-constraint>
      <display-name></display-name>
      <web-resource-collection>
      <web-resource-name>privateSecured</web-resource-name>
      <url-pattern>/segura/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>*</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <security-constraint>
      <display-name></display-name>
      <web-resource-collection>
      <web-resource-name>privateUnsecured</web-resource-name>
      <url-pattern>/nosegura/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>*</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <security-constraint>
      <display-name></display-name>
      <web-resource-collection>
      <web-resource-name>publicSecured</web-resource-name>
      <url-pattern>/login.html</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>iwb</realm-name>
      <form-login-config>
      <form-login-page >/login.html</form-login-page>
      <form-error-page>/nosegura/error.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      <role-name>*</role-name>
      </security-role>

      my webapp

      |--src (carpeta de fuentes)
      |--doc (carpeta de documentos de analisis)
      |--res (carpeta de recursos estaticos)
      |--web
      |--META_INF
      |--WEB_INF
      |--index.jsp (redirige a /nosegura/entrada.jsp)
      |--login.html (pantalla de autentificacion)
      |--segura (carpeta de jsp que quiero que sean seguras)
      |------gestion
      |------administracion
      |----nosegura (carpeta de jsp que no quiero que sean seguras)
      |-------UsuariosGrupos
      |-------cabeceras y pie
      |-------error.jsp
      |-------entrada.jsp
      |-------logoff.jsp (redirige a /nosegura/entrada.jsp)

      Now I will explain my flow of requests to get into my application:

      I have an index.jsp file as wellcome-file, that file only contain:
      <% Response.sendRedirect (request.getContextPath () + "/ nosegura / entrada.jsf")%>

      entrada.jsf and is not sure and private, it does go private to the login screen.

      The login screen is public but it is secured, so you should do it for https.
      Here is the first problem, does not.

      If I do server: port / application / login.html if you ask me the license, so they understand that security-contraintes login if it works,
      but it seems that the current flow does not request any login.html

      The other problem is not going to https to http, if you do well from http to https, but the reverse does not work.


      I can not get pass from https to http

      Any idea

        • 1. Re: problem with https
          Ramón Minarro Newbie

          Hola chicos, después de buscar mucho he optado por una solución que ni mucho menos es óptima pero al menos funciona.

          Lo que he hecho es hacer un filtro que rediriga a la misma pagina pero con http:// y con el puerto 8080 o el que corresponda. Os pego el codigo.




          public class ControlProtocolo implements Filter{

          public void destroy() {
          System.out.println(".... destruido filtro Control de Protocolo");
          }

          public void doFilter(ServletRequest arg0, ServletResponse arg1,
          FilterChain arg2) throws IOException, ServletException {

          if (arg0.isSecure()){
          HttpServletRequest httpRequest = (HttpServletRequest) arg0;
          HttpServletResponse httpResponse = (HttpServletResponse) arg1;

          StringBuffer redirectURL = new StringBuffer();

          redirectURL.append("http://");
          redirectURL.append(httpRequest.getServerName());
          redirectURL.append(":8080");
          redirectURL.append(httpRequest.getContextPath());
          redirectURL.append(httpRequest.getServletPath());

          String queryString = httpRequest.getQueryString();
          if (queryString!=null){
          redirectURL.append("?");
          redirectURL.append(queryString);
          }

          httpResponse.sendRedirect(redirectURL.toString());

          }else{
          arg2.doFilter(arg0, arg1);
          }



          }

          public void init(FilterConfig arg0) throws ServletException {
          System.out.println("Iniciando filtro Control de Protocolo ...");

          }

          }



          Y en el web.xml, logicamente sólo lo voy a aplicar a la zona nosegura, que es la candidata a ser redireccionada.


          {filter}

          {filter-name>controlProtocoloFilter{/filter-name}

          {filter-class}

          es.carm.javato.infoWeb.filtros.ControlProtocolo
          {/filter-class}

          {/filter}
          {filter-mapping}
          {filter-name}controlProtocoloFilter{/filter-name}
          {url-pattern}/nosegura/*{/url-pattern}
          {/filter-mapping}