How to implement a HTTPS login page in a web application?
Question
I want to create a secure login/logout mechanism. I started reading the following articles to get an idea of things to take into account:
These articles make some good points, but I was thinking in using HTTPS in a similar way as the Yahoo mail login page. You know... you type http://mail.yahoo.com and you are redirected to a HTTPS page like **https://**login.yahoo.com/config/login where you insert your username and password and after your credentials are verified you are redirected back to a HTTP page with a generated session_id cookie and all communications from there on are on HTTP using the cookie.
What do I need to implement this behavior?
I want to do this for two Java web apps (one with Spring framework and one with Struts 1) but don't know exactly how to integrate that HTTPS part into the application (I have never worked with HTTPS before).
6 answers
solution1
16 ACCPTED 2009-09-25 07:18:40
First of all you need to enable SSL for your server. For Tomcat you need to generate an openSSL keystore and add the following connector to server.xml:
<Connector port="8443" scheme="https" secure="true" SSLEnabled="true"
keystoreFile="mykeystore" sslProtocol="TLS"
keystorePass="keystore password" />
To integrate SSL into your application I recommend Spring Security. It offers exactly what you want (login over HTTPS, then redirected to HTTP). All you have to do to implement it, is to set forceHTTPS to true:
<bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/pages/login.jsp" />
<property name="forceHttps" value="true"/>
</bean>
Of course Spring and Spring security do have a rather steep learning curve, but it is totally worth it. Do it once and then you can apply it to new apps in less than an hour. You can use Spring Security in both the Spring and Struts application.
Spring security used to be Acegi security. This is an article that will get you started.
solution2
3 2009-09-21 11:23:02
Not sure about any Java or spring specifics, but in general:
1) Set up an SSL cert on your server.
2) Forward or Link to an absolute URL (with https:// at the beginning) when going to login page
3) Forward to an absolute URL (with http://) after successful authentication.
4) Include a check in the login page code to only accept https connections.
Of course there may be framework specific ways of doing the http/https redirect without resorting to explicitly specifying the full URL.
solution3
3 2009-09-21 11:48:52
solution4
1 2009-09-28 03:23:52
solution5
1 2009-09-29 08:21:28
Load for secure pages a script to check the token.
at top of your script:
if(!getSecurityToken()) // 1
redirect(login_page)
if(!checkToken(token)) // 2
redirect(login_page)
The login page should set the secure token and create a session, which would then be passed in the request. The server keeps track of which session owns which token. For implementing the server you must implement for your scripts the checkToken method. The token should be saved in cookies or else in someway saved in the page (for subsequent requests).
When a request is made to the server it must contain the token, or else will fail redirect (1).
When the users session expires (by logout or timeout) then the mapping in the server will no longer exist (session id to token id) and thus any new requests with the token will be invalid and cause a redirect(2).
solution6
0 2011-08-23 01:19:16
This post has an interesting solution:
http://forum.springsource.org/archive/index.php/t-65651.html
The guy used a filter to keep the session active during the switch (https - http)
It worked for me!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.