Announcement Announcement Module
No announcement yet.
How do I do login & transactions in https? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • How do I do login & transactions in https?

    Hey security experts,

    I haven't configured SSL in a spring application and was wondering how I would secure particular url
    or flows.

    I am using tomcat 7, Spring (framework & security) 3.1.0.RELEASE, Spring Web flow 2.3.0.RELEASE

    I read the following (Section 2.3)

    Now I have several questions

    1. How do I secure login to use https and return to http? (Please note I am using @Secured so login interception throughout the app must do this)

    2. Similarly how do I secure a web flow to use https?

    3. Is it really a bad idea to just use SSL for login & some flows? I am not building a banking application. Most commercial websites I see are not using SSL all the time.

    4. Do I really need to disable Session Fixation as metioned in the webpage above? Sounds like a bad idea.

    Last edited by lilolme; Sep 2nd, 2012, 06:07 PM.

  • #2
    This is a bad idea in general, not using SSL for your whole site makes you vunerable to various attacks (session hijack for starters) and also creates problems since a session marked as secure cannot be used without HTTPS.


    • #3
      I am doing the following in security.xml

      <port-mapping http="80" https="443" />
      <port-mapping http="8080" https="8443" />

      <intercept-url pattern="/signin/**" access="permitAll" requires-channel="https" />
      <intercept-url pattern="/signout/**" access="permitAll" requires-channel="http" />

      This works in the simple case where user clicks on login (redirects to https) and stays in https until user logs out

      However if a url is intercepted (because it is annotated as @Secured) the browser goes to login page but it fails when login form is submited. The browser remains on login page and keeps creating a new session (new jsessionid in url).


      • #4
        This should be a general problem. I would really like to know how others are handling it. If the problem is not
        clear please let me know. In short using spring, when using https, intercepts to authenticate the user is failing.
        Looks like its creating a new session each time.


        • #5
          I revisited this today and discovered something

          The problem - authentication over SSL works using signin url but fails when used for an @Secured interception. It all works fine if its using http. So if I click on a link to page that requires auth it redirects to signin page in https but when signing in it fails and stays on same page but with new session id in the url each time.

          Seems like session migration is the culprit

          <session-management session-fixation-protection="migrateSession"/>
          <!-- failing on ssl auth intercept for @Secured -->

          When I sent the session-fixation-protection to none. It works. Now the original session is used but I guesss my site will be vulnerable to session fixation attacks. It shouldnt be a problem in the short run but it would be good to address it.

          So the question is why is @Secured failing over SSL with session-fixation-protection="migrateSession"? Any thoughts? Do I need to configure something to get session migration working?