[jboss-user] [Security & JAAS/JBoss] - problem with https

cibermon do-not-reply at jboss.com
Thu Mar 26 07:24:34 EDT 2009 

Hi. I have a problem with https, I will describe the environment


mi web.xml contains

<security-constraint>
	<display-name></display-name>
	<web-resource-collection>
		<web-resource-name>privateSecured</web-resource-name>
		<url-pattern>/segura/*</url-pattern>
		<http-method>GET</http-method>
		<http-method>POST</http-method>
	</web-resource-collection>
	<auth-constraint>
		<role-name>*</role-name>
	</auth-constraint>
	<user-data-constraint>
		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
	</user-data-constraint>	
</security-constraint>
	
<security-constraint>
	<display-name></display-name>
	<web-resource-collection>
		<web-resource-name>privateUnsecured</web-resource-name>
		<url-pattern>/nosegura/*</url-pattern>
		<http-method>GET</http-method>
		<http-method>POST</http-method>
	</web-resource-collection>
	<auth-constraint>
		<role-name>*</role-name>
	</auth-constraint>
	<user-data-constraint>
		<transport-guarantee>NONE</transport-guarantee>
	</user-data-constraint>
</security-constraint>
	
<security-constraint>
	<display-name></display-name>
	<web-resource-collection>
		<web-resource-name>publicSecured</web-resource-name>
		<url-pattern>/login.html</url-pattern>
		<http-method>GET</http-method>
		<http-method>POST</http-method>
	</web-resource-collection>
	<user-data-constraint>
		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
	</user-data-constraint>
</security-constraint>

<login-config>
	<auth-method>FORM</auth-method>
	<realm-name>iwb</realm-name>
	<form-login-config>
		<form-login-page >/login.html</form-login-page>
		<form-error-page>/nosegura/error.jsp</form-error-page>
	</form-login-config>
</login-config>

<security-role>
	<role-name>*</role-name>
</security-role>

my webapp

|--src (carpeta de fuentes)
|--doc (carpeta de documentos de analisis)
|--res (carpeta de recursos estaticos)
|--web
    |--META_INF
    |--WEB_INF
    |--index.jsp (redirige a /nosegura/entrada.jsp)
	|--login.html (pantalla de autentificacion)
    |--segura (carpeta de jsp que quiero que sean seguras)
        |------gestion
        |------administracion
    |----nosegura (carpeta de jsp que no quiero que sean seguras)
		|-------UsuariosGrupos
		|-------cabeceras y pie
		|-------error.jsp
		|-------entrada.jsp
		|-------logoff.jsp (redirige a /nosegura/entrada.jsp)

Now I will explain my flow of requests to get into my application:

I have an index.jsp file as wellcome-file, that file only contain:
<% Response.sendRedirect (request.getContextPath () + "/ nosegura / entrada.jsf")%>

entrada.jsf and is not sure and private, it does go private to the login screen.

The login screen is public but it is secured, so you should do it for https. 
Here is the first problem, does not.

If I do server: port / application / login.html if you ask me the license, so they understand that security-contraintes login if it works,
but it seems that the current flow does not request any login.html

The other problem is not going to https to http, if you do well from http to https, but the reverse does not work. 


I can not get pass from https to http

Any idea

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4221237#4221237

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4221237

More information about the jboss-user mailing list