RE: Force One page to not use SSL
I've once posted a skeleton to do that: One option for you to work around this, would be (roughly) something like this: - Create a hashtable that is global to the webapp. - Create a hashtable for each session - Store the session hashtable in the application Hashtable and use the session id as key - if (session.isNew() (RequestedSessionId != null)) get the session hashtable by using the RequestedSessionId and store it with the new SessionId as key. - otherwise get the session hashtable by using the current session id. - Store your session variables in the session hashtable - make shure to remove every thing from the application hashtable whenever a session gets destroyed. -Original Message- From: Rustad, Aaron [mailto:ARustad;Online-can.com] Sent: Wednesday, October 30, 2002 1:55 AM To: 'Tomcat Users List' Subject: RE: Force One page to not use SSL All I am asking is...does anyone know how to persist a session from HTTPs to HTTP. Any potential solutions are GREATLY appreciate...any other suggestions (even though they might be well-meaning) are discouraged. -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: Force One page to not use SSL
OK, let me explain the real problem then. What I really want to do is download a bunch of jars for an applet, however, doing this over HTTPS is driving my nuts!!! Can I somehow use HTTP to get the jars and still have the page that the applet resides in HTTPS? Thanks again! Aaron. -Original Message- From: Craig R. McClanahan [mailto:craigmcc;apache.org] Sent: October 28, 2002 9:37 PM To: Tomcat Users List Subject: Re: Force One page to not use SSL On Mon, 28 Oct 2002, Rustad, Aaron wrote: Date: Mon, 28 Oct 2002 17:48:40 -0700 From: Rustad, Aaron [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Force One page to not use SSL I am trying to force one page NOT to use HTTPS and still maintain the session. I have looked in mailing list, and all I see is how you are not supposed to do this. Well, I really...really...really need to do this and yes, I understand that I shouldn't. So, if anyone knows how I can maintain the session that is given to my client from HTTPS - HTTP I would greatly appreciate it. There is no support for this because it would be a huge security hole. For much discussion on this topic, check the mailing list archives. Some background: 1. IIS as a front for Tomcat 4.0.1. 2. Using AJP13 Thanks! Aaron. Craig -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: Force One page to not use SSL
You can probably try forwarding to absolute path, with the JSESSIONID value. Since you are using IIS as secure server, it shouldn't matter to Tomcat. For example: In a servlet you can forward control from https://my.domain.com/myapp/jsp/mypage1.jsp to http://my.domain.com/myapp/jsp/mypage2.jsp;jsessionid=To6582mC3751376572349896At (I am not sure you need the jsessionid value). Sri At 10:46 AM 10/29/2002, Rustad, Aaron wrote: OK, let me explain the real problem then. What I really want to do is download a bunch of jars for an applet, however, doing this over HTTPS is driving my nuts!!! Can I somehow use HTTP to get the jars and still have the page that the applet resides in HTTPS? Thanks again! Aaron. -Original Message- From: Craig R. McClanahan [mailto:craigmcc;apache.org] Sent: October 28, 2002 9:37 PM To: Tomcat Users List Subject: Re: Force One page to not use SSL On Mon, 28 Oct 2002, Rustad, Aaron wrote: Date: Mon, 28 Oct 2002 17:48:40 -0700 From: Rustad, Aaron [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Force One page to not use SSL I am trying to force one page NOT to use HTTPS and still maintain the session. I have looked in mailing list, and all I see is how you are not supposed to do this. Well, I really...really...really need to do this and yes, I understand that I shouldn't. So, if anyone knows how I can maintain the session that is given to my client from HTTPS - HTTP I would greatly appreciate it. There is no support for this because it would be a huge security hole. For much discussion on this topic, check the mailing list archives. Some background: 1. IIS as a front for Tomcat 4.0.1. 2. Using AJP13 Thanks! Aaron. Craig -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Force One page to not use SSL
Why not break up your applet into two - one applet on an HTTP page that just handles the jar downloads? Rustad, Aaron wrote: OK, let me explain the real problem then. What I really want to do is download a bunch of jars for an applet, however, doing this over HTTPS is driving my nuts!!! Can I somehow use HTTP to get the jars and still have the page that the applet resides in HTTPS? Thanks again! Aaron. -Original Message- From: Craig R. McClanahan [mailto:craigmcc;apache.org] Sent: October 28, 2002 9:37 PM To: Tomcat Users List Subject: Re: Force One page to not use SSL On Mon, 28 Oct 2002, Rustad, Aaron wrote: Date: Mon, 28 Oct 2002 17:48:40 -0700 From: Rustad, Aaron [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Force One page to not use SSL I am trying to force one page NOT to use HTTPS and still maintain the session. I have looked in mailing list, and all I see is how you are not supposed to do this. Well, I really...really...really need to do this and yes, I understand that I shouldn't. So, if anyone knows how I can maintain the session that is given to my client from HTTPS - HTTP I would greatly appreciate it. There is no support for this because it would be a huge security hole. For much discussion on this topic, check the mailing list archives. Some background: 1. IIS as a front for Tomcat 4.0.1. 2. Using AJP13 Thanks! Aaron. Craig -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- Nicholas Pappas -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Force One page to not use SSL
We do the switch, using Apache1.3.20/Tomcat3.2.4 on Solaris. We just use an absolute URL when doing the switch. No problems with lost sessions. - Dan - Original Message - I've read the list archives and I'm aware of the security issue, but I still want to switch from HTTPS to HTTP. Yes, I know someone could hijack the session. We're not worried about that; at worst someone could make some obnoxious posts to a forum. We force users to submit their password a second time (and go into SSL, of course) whenever anything sensitive is touched, such as passwords or credit card info. We get a _lot_ of traffic. Running everything under SSL is not really an option. Can Apache/Tomcat/mod_jk be made to handle the switch? In our current configuration, it appears that the session is getting lost in the transition from HTTPS-HTTP so the user is forced to log in again. -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: Force One page to not use SSL
Jeff -- This may be a bit simple minded since I don't understand your entire situation there, but it doesn't sound like you're interested in protecting these JARs in the first place (hence you don't need HTTPS for them). Why, then, do you even need to make sure the user is authenticated (ie *has* a session) in the first place? Why not just serve them up to anyone who requests them? If you need the user to be in a session, you can approximate (which implies, of course, a less-than-elegant solution) the session by duplicating some of what Tomcat does to handle sessions. Namely, give your own token/cookie to the user and also into your context at HTTPS session start time ... keep your list synched with Tomcat's by removing the tokens whenever sessions are invalidated. When deciding whether to serve up the JARs, use this to determine whether the user is authenticated. Duplication, yes, but it's *a* solution. I'd be interested to hear what you end up doing... justin At 03:56 PM 10/29/2002, you wrote: I've read the list archives and I'm aware of the security issue, but I still want to switch from HTTPS to HTTP. Yes, I know someone could hijack the session. We're not worried about that; at worst someone could make some obnoxious posts to a forum. We force users to submit their password a second time (and go into SSL, of course) whenever anything sensitive is touched, such as passwords or credit card info. We get a _lot_ of traffic. Running everything under SSL is not really an option. Can Apache/Tomcat/mod_jk be made to handle the switch? In our current configuration, it appears that the session is getting lost in the transition from HTTPS-HTTP so the user is forced to log in again. Thanks, Jeff Schnitzer [EMAIL PROTECTED] The Sims Online -Original Message- From: Craig R. McClanahan [mailto:craigmcc;apache.org] Sent: Monday, October 28, 2002 8:37 PM To: Tomcat Users List Subject: Re: Force One page to not use SSL On Mon, 28 Oct 2002, Rustad, Aaron wrote: Date: Mon, 28 Oct 2002 17:48:40 -0700 From: Rustad, Aaron [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Force One page to not use SSL I am trying to force one page NOT to use HTTPS and still maintain the session. I have looked in mailing list, and all I see is how you are not supposed to do this. Well, I really...really...really need to do this and yes, I understand that I shouldn't. So, if anyone knows how I can maintain the session that is given to my client from HTTPS - HTTP I would greatly appreciate it. There is no support for this because it would be a huge security hole. For much discussion on this topic, check the mailing list archives. Some background: 1. IIS as a front for Tomcat 4.0.1. 2. Using AJP13 Thanks! Aaron. Craig -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: Force One page to not use SSL
Man alive! Does this thread have to continue in this direction? Myself and Jeff both have similar problems, and we are requesting a common solution. I think we both expressed that we are aware of the consequences of our security-flawed approach to app design, yet everyone seems to think that this has not been thought through. All I am asking is...does anyone know how to persist a session from HTTPs to HTTP. Any potential solutions are GREATLY appreciate...any other suggestions (even though they might be well-meaning) are discouraged. Thanks! Aaron. -Original Message- From: Justin Ruthenbeck [mailto:justinr;nextengine.com] Sent: October 29, 2002 5:20 PM To: Tomcat Users List Subject: RE: Force One page to not use SSL Jeff -- This may be a bit simple minded since I don't understand your entire situation there, but it doesn't sound like you're interested in protecting these JARs in the first place (hence you don't need HTTPS for them). Why, then, do you even need to make sure the user is authenticated (ie *has* a session) in the first place? Why not just serve them up to anyone who requests them? If you need the user to be in a session, you can approximate (which implies, of course, a less-than-elegant solution) the session by duplicating some of what Tomcat does to handle sessions. Namely, give your own token/cookie to the user and also into your context at HTTPS session start time ... keep your list synched with Tomcat's by removing the tokens whenever sessions are invalidated. When deciding whether to serve up the JARs, use this to determine whether the user is authenticated. Duplication, yes, but it's *a* solution. I'd be interested to hear what you end up doing... justin At 03:56 PM 10/29/2002, you wrote: I've read the list archives and I'm aware of the security issue, but I still want to switch from HTTPS to HTTP. Yes, I know someone could hijack the session. We're not worried about that; at worst someone could make some obnoxious posts to a forum. We force users to submit their password a second time (and go into SSL, of course) whenever anything sensitive is touched, such as passwords or credit card info. We get a _lot_ of traffic. Running everything under SSL is not really an option. Can Apache/Tomcat/mod_jk be made to handle the switch? In our current configuration, it appears that the session is getting lost in the transition from HTTPS-HTTP so the user is forced to log in again. Thanks, Jeff Schnitzer [EMAIL PROTECTED] The Sims Online -Original Message- From: Craig R. McClanahan [mailto:craigmcc;apache.org] Sent: Monday, October 28, 2002 8:37 PM To: Tomcat Users List Subject: Re: Force One page to not use SSL On Mon, 28 Oct 2002, Rustad, Aaron wrote: Date: Mon, 28 Oct 2002 17:48:40 -0700 From: Rustad, Aaron [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Force One page to not use SSL I am trying to force one page NOT to use HTTPS and still maintain the session. I have looked in mailing list, and all I see is how you are not supposed to do this. Well, I really...really...really need to do this and yes, I understand that I shouldn't. So, if anyone knows how I can maintain the session that is given to my client from HTTPS - HTTP I would greatly appreciate it. There is no support for this because it would be a huge security hole. For much discussion on this topic, check the mailing list archives. Some background: 1. IIS as a front for Tomcat 4.0.1. 2. Using AJP13 Thanks! Aaron. Craig -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: Force One page to not use SSL
On Tue, 29 Oct 2002, Schnitzer, Jeff wrote: Date: Tue, 29 Oct 2002 15:56:47 -0800 From: Schnitzer, Jeff [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: RE: Force One page to not use SSL I've read the list archives and I'm aware of the security issue, but I still want to switch from HTTPS to HTTP. Yes, I know someone could hijack the session. We're not worried about that; at worst someone could make some obnoxious posts to a forum. We force users to submit their password a second time (and go into SSL, of course) whenever anything sensitive is touched, such as passwords or credit card info. We get a _lot_ of traffic. Running everything under SSL is not really an option. Can Apache/Tomcat/mod_jk be made to handle the switch? In our current configuration, it appears that the session is getting lost in the transition from HTTPS-HTTP so the user is forced to log in again. Then I'm afraid you will need to modify your version of Tomcat to make this transition possible. It would be irresponsible for the standard container to allow people who don't know what they are doing to shoot themselves in the foot on security. Thanks, Jeff Schnitzer [EMAIL PROTECTED] The Sims Online Craig -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: Force One page to not use SSL
On Tue, 29 Oct 2002, Rustad, Aaron wrote: Date: Tue, 29 Oct 2002 17:54:34 -0700 From: Rustad, Aaron [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Subject: RE: Force One page to not use SSL Man alive! Does this thread have to continue in this direction? Myself and Jeff both have similar problems, and we are requesting a common solution. I think we both expressed that we are aware of the consequences of our security-flawed approach to app design, yet everyone seems to think that this has not been thought through. Tomcat is downloaded roughly 100,000 times per month. From many many years of experience supporting Tomcat users, I can *guarantee* you that the vast majority of those who download Tomcat would *not* understand the implications of being able to do this. All I am asking is...does anyone know how to persist a session from HTTPs to HTTP. Any potential solutions are GREATLY appreciate...any other suggestions (even though they might be well-meaning) are discouraged. (a) It's open source. Download the source code for your favorite version of Tomcat. Modify it to do what you want. (b) Spend a little more for your CPU and network bandwidth so that it's not an issue. As a Tomcat committer, I will unconditionally veto any attempt to include this mis-feature in a standard version of Tomcat. If you want a servlet container that lets you hang yourself, please go elsewhere. Thanks! Aaron. Craig -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Force One page to not use SSL
Craig R. McClanahan [EMAIL PROTECTED] wrote in message news:20021029215637.J8960-10;icarus.apache.org... On Tue, 29 Oct 2002, Rustad, Aaron wrote: Date: Tue, 29 Oct 2002 17:54:34 -0700 From: Rustad, Aaron [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Subject: RE: Force One page to not use SSL Man alive! Does this thread have to continue in this direction? Myself and Jeff both have similar problems, and we are requesting a common solution. I think we both expressed that we are aware of the consequences of our security-flawed approach to app design, yet everyone seems to think that this has not been thought through. Tomcat is downloaded roughly 100,000 times per month. From many many years of experience supporting Tomcat users, I can *guarantee* you that the vast majority of those who download Tomcat would *not* understand the implications of being able to do this. All I am asking is...does anyone know how to persist a session from HTTPs to HTTP. Any potential solutions are GREATLY appreciate...any other suggestions (even though they might be well-meaning) are discouraged. (a) It's open source. Download the source code for your favorite version of Tomcat. Modify it to do what you want. (b) Spend a little more for your CPU and network bandwidth so that it's not an issue. As a Tomcat committer, I will unconditionally veto any attempt to include this mis-feature in a standard version of Tomcat. If you want a servlet container that lets you hang yourself, please go elsewhere. This mis-feature is in the standard version of Tomcat 3.3.1. Thanks! Aaron. Craig -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Force One page to not use SSL
On Tue, 29 Oct 2002, Bill Barker wrote: This mis-feature is in the standard version of Tomcat 3.3.1. Another good reason for me to never use it :-). Thanks! Aaron. Craig Craig -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Force One page to not use SSL
On Mon, 28 Oct 2002, Rustad, Aaron wrote: Date: Mon, 28 Oct 2002 17:48:40 -0700 From: Rustad, Aaron [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Force One page to not use SSL I am trying to force one page NOT to use HTTPS and still maintain the session. I have looked in mailing list, and all I see is how you are not supposed to do this. Well, I really...really...really need to do this and yes, I understand that I shouldn't. So, if anyone knows how I can maintain the session that is given to my client from HTTPS - HTTP I would greatly appreciate it. There is no support for this because it would be a huge security hole. For much discussion on this topic, check the mailing list archives. Some background: 1. IIS as a front for Tomcat 4.0.1. 2. Using AJP13 Thanks! Aaron. Craig -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org