tomcat webapp如何在没有spring安全性的情况下切换到https并返回http

Question

Using Tomcat 7.0.32, we have a login page, that by default, the user comes to through http. we immediately redirect the user to use https.
Goal : After user enters the credentials, we want to redirect the user to the Home page using http.

I understand the security risks -- man in the middle, session hijacking, etc.

I can't use spring security -- it's too late in the game -- release is coming shortly and https performance sucks.

Also, our app has a "change password" usecase -- the user accesses "changepassword.jsp" from a menu in the home page, I guess I should redirect the user to "changepassword.jsp" using https. After password change is confirmed, then redirect user back again to homepage using http. Thoughts ?

How to go about doing it -- is there any sample code available ?

UPDATE 1 : I've read about the issue from
1) http://tomcat.10.n6.nabble.com/Session-lost-when-switching-from-https-to-http-after-upgrade-to-Tomcat-6-td2105781.html
2) http://tomcat.10.n6.nabble.com/how-to-auto-redirect-to-https-from-http-td2087325.html

Code from https://forums.oracle.com/forums/thread.jspa?threadID=1394970 (Cabir)

What gotchas should I expect ?

Answer 1

You say "I know Spring Security can do it", but in fact Spring Security doesn't do anything special. It just performs a redirect to HTTPS, which you are doing yourself. If you create a session with a secure cookie, and then switch back to HTTP, you will lose the session. This is explained in the Spring Security FAQ . As it explains, if you create a session before you redirect to HTTPS, then the session cookie will not be flagged as secure and will be passed over both HTTP and HTTPS, maintaining the session throughout.

The only other option that I can think of would be using mod_headers or its equivalent to modify the Set-Cookie header and remove the Secure flag if it is present. here's an example which does the opposite , adding the flag to all cookies.

As an aside, have you tried performance tuning your site with HTTPS ? You should really be using it throughout your app if there is any real value in your content and user accounts.

Answer 2

"Session hijacking" means different things in different contexts. You are considering a system where I can hijack a session in ten minutes with WireShark and no previous experience. I just need to get the cookie that is flying unencrypted and copy it inside Chrome. That seems like a too low barrier of entry.

You should reconsider the performance hit of https, which will probably be a required part of http 2.0 (sorry, PDF). From the document (pages 32-33):

On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead - Adam Langley (Google)

I would spend ten minutes configuring SPDY in my server instead of avoiding https, if performance is the problem.

Answer 3

Is it possible to place an Apache HTTP Server in front of Tomcat?

If you configure a Reverse Proxy , you can let Apache handle the SSL traffic.

In this way, you can redirect requests for logon and change password pages to HTTPS.

Answer 4

Why dont You use Java Authentication and Authorization Service JAAS Using user credentials you can make LoginContext

LoginContext will login into server container and after that login you can easily get user session from HTTP request object. This way you can get user session whether its HTTP or HTTPS. On clicking changepassword link user should be directed to a secure URL and request object will give required information.

You can enable cookies in JAVA API

CookieHandler.setDefault(new CookieManager());

or Cookie policy on it to accept all cookies.

CookieManager customCookieManager = new CookieManager(); customCookieManager.setCookiePolicy(CookiePolicy.ACCEPT_ALL); CookieHandler.setDefault(customCookieManager);