Home/ Questions/Q 3623102
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T23:20:31+00:00

I’m using jsf 2 + jaas + ssl + tomcat 6.0.26 I have in

  • 0

I’m using jsf 2 + jaas + ssl + tomcat 6.0.26

I have in my web site 2 paths:

/faces/protected/* which uses SSL

/faces/unprotected/* which don’t uses SSL.

I’ve put this in my web.xml:

<login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/faces/login.jsp</form-login-page>
            <form-error-page>/faces/error.jsp</form-error-page>
        </form-login-config>
    </login-config>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Secure Resource</web-resource-name>
            <description/>
            <url-pattern>/faces/unprotected/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>           
        </web-resource-collection>
        <auth-constraint>
            <role-name>C</role-name>
        </auth-constraint>          
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Secure Resource</web-resource-name>
            <description />
            <url-pattern>/faces/protected/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>C</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>     
    </security-constraint>
    <security-role>
        <description> Role Client </description>
        <role-name>C</role-name>
    </security-role>

and this is my server.xml:

 <Connector port="8080" protocol="HTTP/1.1" 
               maxThreads="400"
               maxKeepAliveRequests="1"
               acceptCount="100"
               connectionTimeout="3000"
               redirectPort="8443"
                compression="on"
                compressionMinSize="2048"
                noCompressionUserAgents="gozilla, traviata"
                compressableMimeType="text/javascript,text/css,text/html, text/xml,text/plain,application/x-javascript,application/javascript,application/xhtml+xml"  />


  <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true"
               maxThreads="400" scheme="https" secure="true"
               clientAuth="optional" sslProtocol="TLS" 
               SSLCertificateFile="path/to/crt" 
               SSLCertificateKeyFile="path/to/pem"/>

when i enter to protected paths, it switches to HTTPS (port 8443), but when i enter to path /faces/unprotected/somthing… it stays using HTTPS.

what i want is when i enter to unprotected paths, it revert-back to non-SSL communications ( otherwise, i have to re-login again when i set the exact adress in my browser).

What’s wrong with my configurations ?

Is there a way so i can do such a thing ?

Is it possible to call the page using without asking for authentification second time ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, that is the normal behaviour on Tomcat.

    Once it moves into https, it will not redirect other URLs back into http, unless the URL explicitly is for http.

    If you really need to, you would have to write a Filter to check if the URL is not part of the secured pattern, then redirect back to http.

    • 0