Announcement Announcement Module
Collapse
No announcement yet.
SSL - Secured & non-secured items Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSL - Secured & non-secured items

    Hi,

    I've just setup my application to use SSL and I have a few questions...
    Only my login page and the admin module are secured.
    If I don't secure the css, javascript and images I have some errors on the login page ("contains secure and non secured intems.."), but if I secure them they will also be secured on non-secured pages (most of the web site).

    Is there a way to avoid this ? I'd like to secure them only for secured pages like login or admin...

    Code:
    <bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter">
      <property name="channelDecisionManager" ref="channelDecisionManager" />
      <property name="filterInvocationDefinitionSource">
        <value>
          CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
          PATTERN_TYPE_APACHE_ANT 
          /css/**=REQUIRES_SECURE_CHANNEL
          /script/**=REQUIRES_SECURE_CHANNEL
          /images/**=REQUIRES_SECURE_CHANNEL
          /login*=REQUIRES_SECURE_CHANNEL
          /j_security_check*=REQUIRES_SECURE_CHANNEL
          /admin/**=REQUIRES_SECURE_CHANNEL
          /**=REQUIRES_INSECURE_CHANNEL
        </value>
      </property>
    </bean>
    Thanks

    Cedric

  • #2
    As far as I know this is an Internet Explorer annoyance. I haven't come across another browser which gives this message. I don't see any way round it on the server side. You might be able to google from some way of switching the feature off in IE.

    Comment


    • #3
      Firefox also displays this page with a warning "connection partially secured" and the lock icone at the bottom right has a slash on it...

      Comment


      • #4
        I guess it's important that the user is informed if there is mixed content, as it should really be avoided, but I find the popup every time you load a page very annoying.

        I'm not quite sure why the css etc isn't loaded using HTTPS. If the user is redirected to an HTTPS URL I would expect the css files to be requested relative to the same base URL. Or are you using absolute URLs in the the login page?

        Comment


        • #5
          I am having the same problem, but its not css or an image but a request, which is part of the header in my app. So this request is common to both https and http request.
          Any suggestion on how to enable/disable https for a request which is used in both http and https.

          Comment


          • #6
            There's probably no need to say things like css or js require a secure channel (or that they require an unsecure channel). That way they can both be accessed via relative links and thus unaffected by https and http.

            If you secure the CSS pages then what you're saying is EVEN if you access a page over HTTP, access the CSS pages as HTTPS. Which isn't what you want. By not saying anything about the CSS pages you're saying to the browser (in theory) get the CSS pages the same way you got the page request.

            Comment


            • #7
              Originally posted by Luke
              I guess it's important that the user is informed if there is mixed content, as it should really be avoided, but I find the popup every time you load a page very annoying.

              I'm not quite sure why the css etc isn't loaded using HTTPS. If the user is redirected to an HTTPS URL I would expect the css files to be requested relative to the same base URL. Or are you using absolute URLs in the the login page?
              I'm having a similar problem to the one described. Here's what I've got:

              Code:
                  <property name="filterInvocationDefinitionSource">
                    <value>
                      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                      \A/login.html.*\Z=REQUIRES_SECURE_CHANNEL
                      \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
                      \A/purchase/.*\Z=REQUIRES_SECURE_CHANNEL
                      \A/register/.*\Z=REQUIRES_SECURE_CHANNEL
                      \A.*\Z=REQUIRES_INSECURE_CHANNEL
                    </value>
                  </property>
              The problem is that the resources are accessed by the browser using HTTPS, but when the Acegi filter catches these it sees that these fall under the last rule, saying they "require" an insecure channel so the filter tells the browser to redirect to an insecure channel, which it does and successfully accesses the images. But in Firefox, this causes the lock icon to have a red slash through it because the "Connection is partially encrypted." So what we need is a way to tell the Acegi filter to allow access to the resources regardless of what channel is being used. Is there a way to do that?

              Thanks,
              Rich

              Comment


              • #8
                I too have been running into this exact same issue, however, I've also noticed the following in Internet Explorer:

                When a secure page loads, the lock icon appears for a split second, and then disappears.

                Here is my config:

                <property name="filterInvocationDefinitionSource">
                <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
                \A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
                \A.*\Z=REQUIRES_INSECURE_CHANNEL
                </value>
                </property>

                Has anyone else run into this mysterious issue?

                Thanks,

                Matt

                Comment


                • #9
                  Alright, I figured it out. From the docs it seems like the catch all

                  Code:
                  \A.*\Z=REQUIRES_INSECURE_CHANNEL
                  is required. Apparently it's not. If you remove the line then all the resources are just loaded with whatever channel is requested.

                  Comment


                  • #10
                    So if you remove \A.*\Z=REQUIRES_INSECURE_CHANNEL, does this mean you're site stuck in SSL mode, unless the user physically changes the url from https to http? I suspect that since the directive is removed, Acegi will never know when to switch back to http when accessing non-secure pages...

                    Comment


                    • #11
                      From what I understand that is true. In my situation it's not imperative that the user be switched back so it works for me. If you require certain pages to be accessed only using http then you can specify those pages as being INSECURE_CHANNEL. So maybe just do something that includes any jsps in the root webapp directory and additional rules for each directory and leave out the images and css directories/files. That's about the only way I can see to do everything you might want.

                      Comment


                      • #12
                        Hi All:

                        I ran into the same issue. Here is how I dealt with it:

                        1. Map application servlets to a sub path, like /app/. These will be available at www.domain.com/context/app/handlerMapping
                        2. Place all static assets above WEB-INF in folders like "images", "css". These will now be available at www.domain.com/context/images, etc.
                        3. Map secure pages to a "sub, sub" domain, like /app/secure. These pages will be at www.domain.com/context/app/secure/handlerMapping.

                        The Acegi setup is then:

                        \A/app/secure/.*\Z=REQUIRES_SECURE_CHANNEL
                        \A/app/loginPage.*\Z=REQUIRES_SECURE_CHANNEL
                        \A/app/j_security_check.*\Z=REQUIRES_SECURE_CHANNEL
                        \A/app/.*\Z=REQUIRES_INSECURE_CHANNEL
                        \A/app\Z=REQUIRES_INSECURE_CHANNEL

                        This will leave static assets alone in regards to transport, while forcing non-secure pages to go over a non-ssl connection. Also, be careful where you redirect if you are forcing a secure connection on login. The login appears to fail if done over a secure connection that then redirects to a page forced to INSECURE_CHANNEL.

                        In the problem described in this thread, I believe the issue is the redirects that Acegi makes based on the INSECURE_CHANNEL. If you look at the debug output, each static asset within the page has a redirect issued, which I believe confuses the browser.

                        HTH,

                        Dave
                        Last edited by dreed; Sep 25th, 2006, 08:51 PM.

                        Comment

                        Working...
                        X