I was trying to use the "webapps/exmaples/jsp/security/protected"
example with SSL but experienced strange effects with different
browsers.
I did the following with Tomcat 4.1.12LE (Jboss bundle, but shouldn't
matter as tomcat was started standalone):
I successfully enabled SSL by uncommenting and modifying server.xml like
this:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true"
useURIValidationHack="false">
<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS"
keystoreFile="C:/jboss/tomcat-4.1.x/bin/jboss.keystore"
keystorePass="*****" />
</Connector>
I changed the web.xml of the examples application by adding into
<security-constraint>:
<user-data-constraint>
<transport-guarantee>CONFIDENTAL</transport-guarantee>
</user-data-constraint>
When opening the url:
http://localhost:8080/examples/jsp/security/protected I expected an
automatic redirect to
https://localhost:8443/examples/jsp/security/protected/login.jsp to obey
the transport guarantee as specified above.
When I try with Mozilla it works like expected.
When using IE, I get a popup (because I just use a SSL test certificate)
- so far so good, but the redirect fails and IE stalls while loading. If
I manually use https://localhost:8443 everything is fine. Obviously only
the redirection does not work with IE. Any idea what could be wrong? Did
I setup anything wrong or can anyone confirm this problem?
Anyhow, also with both Mozilla and Opera I get http errors sometimes:
https://localhost:8443/examples/jsp/security/protected/j_security_check
pops up a status 400 message: "Invalid direct reference to form login
page" and "The requested resource
(/examples/jsp/security/protected/j_security_check) is not available."
or a status 404 message:
"/examples/jsp/security/protected/j_security_check" and "The requested
resource (/examples/jsp/security/protected/j_security_check) is not
available."
These problems occur when hitting the back button (instead in my browser
after having successfully logged on user "tomcat".
So I logon using login.jsp with a valid user view the index.jsp and hit
"back". When I try to submit again I get those errors.
What can be done to avoid these problems? I would like to be able to hit
"back" and either get to the error.jsp or index.jsp when i try to logon
repeatedly instead of that "j_security_check" resource.
One more question:
Tomcat can handle the automatic redirection with these security
constrains, but actually I only need SSL for login purposes. So after
automatic SSL login, I'm stuck to https on port 8443 if I don't manually
load a http-URL later. But this would require to specify
http://host:port somewhere instead of using relative links what I prefer
not to make the webapp need to know the server names etc.
What is a good practice for SSL-login in general?
Also in case I want to use Struts for let's say a E-Commerce like site
where you just have to log on or need SSL-security for one single login
page. Later I'd like to use http again and would prefer not to hard code
host:port into any page.
Is it a good idea to let Tomcat do this login stuff with all above
issues or should one better code oneself?
Thanks!
mech
--
To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
