jsf - How to force only one page to open with SSL? -
in project, using ssl works pages.i want use login page, after page should revert http protocol. how can that? found way below, not work.
<security-constraint> <web-resource-collection> <web-resource-name>notify page, accessed internally application</web-resource-name> <url-pattern>/login.xhtml</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>confidential</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>entire site</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>none</transport-guarantee> </user-data-constraint> </security-constraint>
my project jsf 2.0 project, using eclipse helios , tomcat 7.0.
thanks.
that's not possible. when session created https request, not available http requests. best bet create non-secure cookie during login , maintain login instead.
map<string, object> properties = new hashmap<string, object>(); properties.put("secure", false); externalcontext.addresponsecookie(name, value, properties);
but think once again this, what's point of https login then? if go http after https , want keep user logged-in, you're required set session cookie unsecure. way hackers still able sniff session id in cookie session fixation hack. login on https prevent hackers learn actual username/password, has no point anymore once hacker figures session id in cookie.
i'd say, forget switch , stick https time after login.
Comments
Post a Comment