Announcement Announcement Module
Collapse
No announcement yet.
https to http in spring security Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • https to http in spring security

    hello, I would like someone to help to integrate a login page that have to be
    access by https and then switch to http to navigate through the application.

    If have configure my login page and the /j_spring_security_checkwith the requires-channel="https" option and it works fine because it controls that the access is made through https.

    But when the user is redirect to the default-target-url after log in, the application redirects me again to the login page.

    I have tried the faq advice about starting the connection in http but I use the id session through the url not by cookies. How can I get this thing work.

    So the real question is how to share security information between http and https in spring security

  • #2
    If you are losing the session, then it is a container issue, not a Spring Security one.

    Comment


    • #3
      sorry but I do not understand what you mean with container. My problem is that when the user leaves the https pages he is redirect to the login page like if he wants to access to a restricted page and he does not have the requiered credential.

      Another syntom is that when I just put the https to the login page spring security throws an exception indicating that a he was trying to authenticate a user but the username and password where empty.

      can anyone tell me something about this.

      Comment


      • #4
        "Container" as in "web container", i.e. Tomcat or some such.

        The symptoms you describe are the same as those in the FAQ - losing the session because of a switch from HTTPS to HTTP. You are best placed to debug how the session is maintained between your browser and the application. If you want someone to help you with technical details then you need to provide raw facts and evidence such as a step-by-step account of requests that are made, browser session data and corresponding Spring Security debug log output.

        If you say something like

        When I just put the https to the login page spring security throws an exception indicating that a he was trying to authenticate a user but the username and password where empty.
        I have no idea what you mean in this context. I don't even know off-hand of any place where Spring Security does anything like this. If you provide a stacktrace then it is immediately obvious whereabouts the exception occurred and what code called it. So always provide the log output with the stacktrace.

        Comment

        Working...
        X