[jboss-user] [JBoss Seam] - Login Best Practices

[chubby]

I was wondering if there a good Wiki page covering best practices for Login security for web apps?

One specific question I have is with regards to a login form on the home page (non-secure) that submits to the login action.  Because I cannot specify a scheme with JSF/JBoss seam in the h:form tag, I cannot force it to submit to an https URL.

The best I can do is use the pages.xml to require HTTPS, but that results in one non-secure request then a redirect to the secure request.  So its pointless in this case.

I reviewed a JIRA (http://jira.jboss.com/jira/browse/JBSEAM-741) where this was talked about and it appears that for now the Seam team is holding off supporting a scheme attribute in the link/form tags.

It has me thinking there is a security concern with doing this sort of thing (submitting a non-secure form to a secure URL) and that perhaps I should just avoid having the convenient login box on the home page.

Any feedback is very much appreciated.

Thanks,
Mark

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4039550#4039550

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4039550