I’m running Windows Server 2008 R2 with IIS 7.5, AJP Connector 1.3, and Tomcat 5.5 with SSL enabled. I am using a self-signed certificate, for testing only. I also put in a security constraint in web.xml to enforce SSL for a particular page called BeforeAuth.jsp. Tomcat is handling both HTTP and HTTPS traffic on the same website, as a result of enabling SSL.
What I want to do is downshift from HTTPS to HTTP for a particular url-pattern, but I’m not sure how to go about it.
In my ideal example, I have a login page, which uses HTTP. When the user submits the page, it navigates to BeforeAuth.jsp, which is HTTPS. Then, BeforeAuth.jsp is submitted and calls a closed-source 3rd-party Java authenticator (over HTTPS) and, after successful authentication, the authenticator takes care of pointing the browser to an home page called home.jsp, which is HTTP.
So, it’s Login(HTTP)->Authenticate(HTTPS)->HomePage(HTTP).
How do I go about this?
Thank you.
What you are asking for is a redirect: just build the entire URL you want to redirect to, including the protocol (
https:).What you really want to do is use SSL the whole time: if you are using SSL for the authentication, why not use SSL for the rest of the session? Sniffing the JSESSIONID from the request line (if using URL rewriting) or a cookie is just as good as having the user’s password for the current session. Unless the user’s credentials are worth more than the data they can access once logged-in, your best bet is to use SSL all the time.