2 Replies Latest reply on Feb 28, 2003 9:56 PM by Dan Greening

    Transport-guarantee confidential with FORM auth: How to reve

    Dan Greening Newbie

      I'm using port redirection with JBoss 3.0.6, so that if someone requests login.jsp through HTTP, the browser is redirected to an HTTPS protocol version (i.e., the login.jsp web application resource has a <transport-guarantee> of CONFIDENTIAL).

      I'm also using FORM based authentication to automatically go to login.jsp if the user has not yet authenticated on "normal" pages.

      The idea is that I don't want to have the user's password revealed during the login (hence confidential transport guarantee), but I also don't think the normal page content is confidential, and I'd like the transport for normal pages to be fast. This HAS to be a common scenario.

      OK, so this all works fine up to and through the login process. However, when JBoss/Jetty redirects to the originally requested page, everything is now in HTTPS mode. I can manually go into non-SSL mode by typing the http://... url of the "normal" page, and since I'm still authenticated it works fine.

      Shouldn't temporary redirects to a SSL-protected form pop back to non-SSL when going to the requested resource? After all, if I wanted my normal resources in SSL, I would have marked them as CONFIDENTIAL. Is there a recommended way to accomplish this goal?

      What am I doing wrong? I've searched everywhere for information on this, and I must be missing something.