Staying in HTTPS is required to ensure that the user who logged in is
the user accessing the HttpSession.
Downside to staying in HTTPS is that it is slower as both ends have to
handle encryption and decryption.
On 5/3/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Andrew & Bill,
So is it common form to stay in HTTPS once the user estasblishes a
secure connection and authentication? Because if this is the case, then
I don't have to really do anything special for navigation handling. Are
there any downsides to continuing to use HTTPS? I am not sure I could
gaurantee that the user (benign or malicious) wouldn't start from my
HTTPS login URL rather than from the HTTP main page URL.
Thanks again for your valuable input.
----- Original Message -----
From: Andrew Robinson <[EMAIL PROTECTED]>
Date: Thursday, May 3, 2007 10:22 am
Subject: Re: Navigation to and from an HTTPS URL
To: MyFaces Discussion <users@myfaces.apache.org>
> For the custom navigation handler, I don't have an example, but you
> could just setup some kind of pattern that you could parse via regex.
> Something like
>
> secure:/myview.xhtml
>
> Then in the navigation handler, see:
> private final static String SECURE = "secure:";
> ...
> if (viewId.startsWith(SECURE))
> {
> viewId = viewId.substring(SECURE.length());
> // see if the HttpServletRequest.isSecure() returns false
> // if so then:
> // get the faces external context
> // build the full URL including "https"
> // call external context.redirect
> // call context.responseComplete();
> }
> else ...
>
> You have to use a redirect one way or another, so it being in a
> navigation handler just makes it available to all action responses.
>
> Also, make sure you remember once you redirect the user, they may lose
> their session, and they definitely will if you redirect from HTTPS to
> HTTP. Servlets use a in-memory cookie to store the session ID. Since
> it is a cookie, it falls under the W3C specification for cookie
> handling. So for example, if the cookie is marked as secure, it cannot
> be seen from HTTP.
>
> Make sure you are not planning on authenticating them under HTTPS, and
> then redirecting them to HTTP and trying to retain an insecure session
> ID. If so, impersonation attacks would be a piece of cake against your
> code.
>
>
> On 5/3/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > Andrew,
> >
> > Thanks for the tips. I think that method (1) can work for me in
> some> situations, but not in general. Would you happen to know or
> have any
> > examples for the method (2) [custom navigation handler]? I
> appreciate> your help *very* much!
> >
> >
> > ----- Original Message -----
> > From: Andrew Robinson <[EMAIL PROTECTED]>
> > Date: Wednesday, May 2, 2007 3:50 pm
> > Subject: Re: Navigation to and from an HTTPS URL
> > To: MyFaces Discussion <users@myfaces.apache.org>
> >
> > > Two methods:
> > >
> > > 1) In your action or actionListener use the external context to
> > > send a
> > > redirect or
> > > 2) Use a custom navigation handler that builds a URL then changes
> > > the protocol
> > >
> > > On 5/2/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > > > Does anyone have any tips how you can implement navigating to
> and> > from> an HTTPS URL from a commandLink or commandButton?
> > > >
> > >
> >
>
