Announcement Announcement Module
Collapse
No announcement yet.
Loosing SecureContext When Switching https to http Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Loosing SecureContext When Switching https to http

    This post is a continuation of the following posting that contains log files and the original post:

    http://forum.springframework.org/showthread.php?t=16601

    After extensively looking into the problem, I've narrowed it down to the fact that I am loosing my SecureContext when logging with https and then switching to an http page. I'm still not sure how to solve this problem. Any suggestions and/or references to a logon screen using https examples and an .xml file and code would be great!

    Thanks,
    Scott
    Last edited by robyn; May 14th, 2006, 10:46 AM.

  • #2
    Ok. It would have been helpful if you had mentioned this to start with (or indeed given any other configuration info - container, version etc.).

    The likelihood is that your container (apparently Tomcat) isn't preserving session state across a transition from HTTPS to HTTP and therefore when you try to access a protected resource it is forcing you to reauthenticate. That has certainly been the case in past versions - there may be some way of overriding it now. I believe this is a deliberate design decision as once the session info has been transmitted in the clear, it can be hijacked by an attacker and the benefit of logging in over HTTPS is lost. This is seen as being too big a security hole to risk. You may argue that the functionality of your app isn't as important as the risk of eavesdropping the user's credentials, but I would still guess that's what's causing your problem. In fact your debug log points to the actual session being lost at one point which would back this up.

    Comment


    • #3
      Here's a further post I found on the subject:

      http://www.mail-archive.com/tomcat-u...msg151756.html

      Comment


      • #4
        Luke, thank you very much for you post, as I found an easy workaround for Tomcat's security issue. Basically, what I did was default the site to http://.../index.html and performed a redirect to the login.htm page like so:

        web.xml:
        Code:
          <welcome-file-list>
            <welcome-file>index.html</welcome-file>
          </welcome-file-list>
        index.html
        Code:
        <html>
          <head>
            <script>
              function redirect&#40;&#41; &#123;
                window.location="logon.htm";
              &#125;
            </script>
          </head>  
          <body onload="redirect&#40;&#41;">
          </body>
        </html>
        In making this configuration, I am able to start the session in http thereby allowing me to keep my session context.

        Also, Sorry I didn't get you all the information initially. Please understand sometimes it's not evident as to what's revelant. I'll try to be more through in the future, however, as I do appreciate your support and want to make posting as easy as possible to evaluate.

        Thanks again!

        Comment


        • #5
          alternative solution

          An alternative is to change the RetryWithHttpEntryPoint used by the InsecureChannelProcessor to add "jsessionid=" to the end of all redirections from HTTPS to HTTP.

          Code

          Code:
          /**
           * Overrides implementation to handle HTTPS to HTTP issue with tomcat. Tomcat will not pass secured cookie
           * to unsecured channel so session is lost when transitioning from HTTPS to HTTP.
           * @author Craig Baker
           * @version $Id$
           */
          public class TomcatRetryWithHttpEntryPoint extends RetryWithHttpEntryPoint
          {
              private static final Log logger = LogFactory.getLog(TomcatRetryWithHttpEntryPoint.class);
              
              private PortMapper portMapper = new PortMapperImpl();
              private PortResolver portResolver = new PortResolverImpl();
              
              public void commence(ServletRequest request, ServletResponse response)
                      throws IOException, ServletException
              {
                  HttpServletRequest req = (HttpServletRequest) request;
          
                  String pathInfo = req.getPathInfo();
                  String queryString = req.getQueryString();
                  String contextPath = req.getContextPath();
                  String destination = req.getServletPath()
                          + ((pathInfo == null) ? "" : pathInfo)
                          + ((queryString == null) ? "" : ("?" + queryString));
          
                  String redirectUrl = contextPath;
          
                  Integer httpsPort = new Integer(portResolver.getServerPort(req));
                  Integer httpPort = portMapper.lookupHttpPort(httpsPort);
          
                  if (httpPort != null)
                  {
                      boolean includePort = true;
          
                      if (httpPort.intValue() == 80)
                      {
                          includePort = false;
                      }
          
                      redirectUrl = "http://" + req.getServerName()
                              + ((includePort) ? (":" + httpPort) : "") + contextPath
                              + destination;
                      
                      // Add jsession id to end of redirection URL
                     if (req.getSession(false) != null)
                      {
                          redirectUrl = redirectUrl + ";jsessionid=" +  req.getSession(false).getId();
                      }
                  }
          
          
                  if (logger.isDebugEnabled())
                  {
                      logger.debug("Redirecting to: " + redirectUrl);
                  }
                  
          
                  ((HttpServletResponse) response)
                          .sendRedirect(((HttpServletResponse) response)
                                  .encodeRedirectURL(redirectUrl));
              }
          }

          Comment

          Working...
          X