Announcement Announcement Module
Collapse
No announcement yet.
How to force HTTPS on first landing page? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to force HTTPS on first landing page?

    I have a login page as my landing page in my project, how could I enforce HTTPS on this first landing page? I am using Spring Security 3.0.8. I have been trying the following with no success, how should I resolve this problem?

    Code:
           <http auto-config="true">
    		<intercept-url pattern="/welcome*" access="ROLE_ADMIN" />
    		<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https" />
    		
    		<form-login login-page="/login" 
    					default-target-url="/welcome" 
    					authentication-failure-url="/loginfailed" />
    		
    		<session-management invalid-session-url="/sessionTimeout">
    			<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    		</session-management>
    		
    		<logout logout-success-url="/login" invalidate-session="false" />
    	</http>

  • #2
    What do you mean by "your first landing page"? What is happening and what do you expect? The configuration above should switch to https at the login page.

    NOTE: In general it is not recommended to only use HTTPS on a single page as this is not secure (google about firesheep). Additionally you will run into issues with the cookie marked as HTTPS only and then the rest of your application will not send the cookie. There are ways around this, but it is not secure. In short, as soon as you have your user authenticate the remainder of the interactions should be HTTPS.

    Comment


    • #3
      My bad, sorry for the missing details on my question.

      When I issue an URL, say http://localhost:8080/MyProject, it will redirect me to the http://localhost:8080/MyProject/index.xhtml. This is what I'm referring to the landing page. Now I have change the landing page from index.xhtml to login.xhtml because I want the user to login first before the user can do anything.

      My intention is to use HTTPS for the whole project but not only the login page. I wasn't sure this should be done on Tomcat server or I have to configure it manually for every single page using Spring on my project. I'm still on the midst of my research.

      Comment


      • #4
        if you want all pages to require HTTPS, then you need to ensure your configuration reflects this. As it stands the configuration you have posted only requires the /login page to be HTTPS. Based upon your description you are probably looking for something like this (note I switched to use-expressions="true" as it is more powerful):

        Code:
        <http auto-config="true" use-expressions="true">
            <intercept-url pattern="/welcome*" access="hasRole('ROLE_ADMIN')" requires-channel="https"/>
            <intercept-url pattern="/login*" access="permitAll" requires-channel="https" />
            <!-- adjust this as necessary -->
            <intercept-url pattern="/**" access="authenticated" requires-channel="https" />
        		
            <form-login login-page="/login" 
        	default-target-url="/welcome" 
        	authentication-failure-url="/loginfailed" />
        		
            <session-management invalid-session-url="/sessionTimeout">
                <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
            </session-management>
        		
            <logout logout-success-url="/login" invalidate-session="false" />
        </http>

        Comment


        • #5
          @Rob's answer is almost there, thanks for your support. I have additional comment on my problem.

          Before this, the server must have SSL port enable. Since I'm running on Tomcat, the SSL port is disable by default. Thus I have to enable it and then configure port mapping in Spring configuration as follow:

          Code:
          <http ...>
             ....
             ....
          
             <port-mappings>
                 <port-mapping http="8080" https="8443"/>
             </port-mappings>
          </http>

          Comment

          Working...
          X