How do I remove HTTPS after login in ? I have read other posts. I still need
this thread as it has to do with JAAS on tomcat. Please read on. For the
hasty, jump to 9 onwards.
My UI stack is as follows :
* JSF 1.2, Facelets, Richfaces 3.2.1
* JAAS
* Tomcat 6
0. Relevant web.xml entries
<security-constraint>
<display-name>User Login Page</display-name>
<web-resource-collection>
<web-resource-name>Login Resource</web-resource-name>
<url-pattern>/pages/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>User</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
...
<login-config>
<auth-method>FORM</auth-method>
<realm-name>projx</realm-name>
<form-login-config>
<form-login-page>/pages/login/login.jsf</form-login-page>
<form-error-page>/pages/login/loginerror.jsf</form-error-page>
</form-login-config>
</login-config>
0.1 Login page :
<rich:panel id="loginPanel">
<f:facet name="header">Login Panel</f:facet>
<f:verbatim>
<form method="post" action="j_security_check ">
<table><tr>
<td>User Id</td>
<td><input type="text"
name="j_username" /></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password"
name="j_password" /></td>
</tr>
<tr>
<td align="center">
<input type="submit"
value="Login" />
</td>
</tr></table>
</form>
</f:verbatim>
</rich:panel>
1. SSL Enabled Login page
2. Rest are non SSL-pages
3. JAAS Configured with some page requiring login (therefore fwd to SSL)
4. Homepage has 'Login' hyperlink -- which points to
-->/pages/secure/Userhomepage.jsf
Simple Login Usercase
------------------------
5. User clicks on 'Login' hyperlink
6. Tomcat CMA intercepts and takes user to /pages/login/login.jsf
but URL shows
https://localhost:8443/abc/pages/secure/Userhomepage.jsf
7. User keys in credentials and login is successful
8. Userhomepage.jsf http response is generated and shown on browser BUT URL
is still
https://localhost:8443/abc/pages/secure/Userhomepage.jsf
Problem
---------
9. HTTPS should not be show from 8 onwards. How do I remove it ?
Questions
------------
10. I know that HTTPS has to be programattically removed. But between
7 and 8, How do I do it ?
a) Where do I put a URL rewrite filter code ? It won't even be invoked..
b) How can I do it programmatically when the redirection is being
done by Tomcat ?
On a side note (question on JAAS configured on Tomcat )
-------------------------------------------------------
11. Why do I have to declare '/pages/secure/*' with
<auth-constraint>
<role-name>User</role-name>
</auth-constraint>
?
12. Why isn't there a way to just forward to login.jsf which forwards to
j_security_check ?
13. Is there a way to make Tomcat container aware of a JAASubject
What I would really like is a Richfaces modal panel for a login ?
Such a simple use case has become really complicated. Instead of
flexibility,
across presentation layers, it's ties you down to a one mechanism.
Very frustrating.
Thank you !
--
View this message in context:
http://www.nabble.com/How-do-I-remove-%27S%27-from-HTTPS---JAAS-configured-on-tomcat%2C-JSF-webapp-tp25250419p25250419.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
