Re: j_secuity check and https
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Snaglefrac, Snaglefrac wrote: > Now, when someone logs in they are using an unsecured login screen and there > passwords are sent unencrypted. The solution! HTTPS, no sweat, i have this > working to. The only problem I have is having the https and LDAP security in > one application. Additionally i do not want to have every page locked by > https, only the login screen that get called by the security constraint. Okay, so you want to use regular HTTP for everything except the login page. You just have to make sure that the user has a session before they try to login. > so when a user hits /gigatronic/index.jsp they are asked top login because > of the LDAP real copnfig. The pages used for the login I need in HTTPS. > After a secure login it returns back to a regular http for the > /gigatronic/index.jsp application. Actually, you just need to submit to j_security_check using HTTPS. Everything else can be regular HTTP. > SO how can I use HTTPS for only the j_secutity login portion I specified in > web.xml and enforce LDAP real for the rest of my app without have the whole > app HTTPS. > > I tried specifying the HTTPS for my login but the app would not start. > ex: > > > https://www.blah.com/secure/login.jsp > > https://www.blah.com/secure/loginerr.jsp > > This did not work. Right. Tomcat doesn't do a redirect (or does for some versions and not others... I can't keep it straight). What you need to do is this, in your login.jsp page: "> This will submit your request to Tomcat using HTTPS. I'm not sure, but I believe the original request will be to an HTTP URL if the original request was to a non-secure URL. If not, you can always redirect subsequent requests using a filter or something like that to go back to HTTP. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk0L/sACgkQ9CaO5/Lv0PB3oQCgwlyRwEGRE1EyebCyHt7blqRm ynEAoL9zEa5YQWtm3yiqX74SoM/jPF4q =JvFO -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_secuity check and https
I have an tomcat application. I want to use LDAP authentication. I have this working not problem. When a user hits the site they are asked to login and they use the j_security method to do so. No problem. Now, when someone logs in they are using an unsecured login screen and there passwords are sent unencrypted. The solution! HTTPS, no sweat, i have this working to. The only problem I have is having the https and LDAP security in one application. Additionally i do not want to have every page locked by https, only the login screen that get called by the security constraint. EX directory structure: Https Secured pages and directories. /security/login.jsp /security/loginerr.jsp LDAP REalm Secured diretories /gigatronic/* /gigatronic/index.jsp so when a user hits /gigatronic/index.jsp they are asked top login because of the LDAP real copnfig. The pages used for the login I need in HTTPS. After a secure login it returns back to a regular http for the /gigatronic/index.jsp application. SO how can I use HTTPS for only the j_secutity login portion I specified in web.xml and enforce LDAP real for the rest of my app without have the whole app HTTPS. I tried specifying the HTTPS for my login but the app would not start. ex: https://www.blah.com/secure/login.jsp https://www.blah.com/secure/loginerr.jsp This did not work. Cheers -- View this message in context: http://www.nabble.com/j_secuity-check-and-https-tp20603453p20686814.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_secuity check and https
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Snaglefrac, Snaglefrac wrote: > I want to use j_security check with https on port 8443. I only want to > secure the login pages and not the whole application. Then you need to configure your s appropriately. > so .. > these pages need to be secured when accessed: > /secure/login.jsp > /secure/loginerr.jsp > > everything else is secured by form based quthentication and uses an ldap > realm. If "everything else" will be secured by form-based auth, then what should secure the above two URLs? Any resource that is protected will be protected using the same authentication type: you can't use BASIC for one set of URLs and FORM for another set of URLs in the same webapp. > /j_security_check > /secure/j_security_check > /j_security_check Note that you can't secure j_security_check: this URL is special and will be handled by the container whether you list it in your s or not. > The problem is when i hit the application where i have form authentication > connection to LDAP, it uses the /secure/login.jsp page, because j_security > check redirects to this page. You can't change how this works. > but it is not forced at https, because the url pattern doesn't match. So how > can I forced the login.jsp page to be https! I don't want my ldap user > password floating around out there. Have you tried setting your to use an HTTPs URL? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkklu3EACgkQ9CaO5/Lv0PBh+QCgwvyFvjzDimyIXaQN3FJwLu3C Ch8AoJoUl9+Fpz88zwJ6gg5rzg3sVYcv =s8/t -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
