How do I do login & transactions in https?

Printable View

Sep 2nd, 2012, 04:55 AM
lilolme

How do I do login & transactions in https?

Hey security experts,

I haven't configured SSL in a spring application and was wondering how I would secure particular url
or flows.

I am using tomcat 7, Spring (framework & security) 3.1.0.RELEASE, Spring Web flow 2.3.0.RELEASE

I read the following (Section 2.3)
http://static.springsource.org/sprin...-https-session

Now I have several questions

1. How do I secure login to use https and return to http? (Please note I am using @Secured so login interception throughout the app must do this)

2. Similarly how do I secure a web flow to use https?

3. Is it really a bad idea to just use SSL for login & some flows? I am not building a banking application. Most commercial websites I see are not using SSL all the time.

4. Do I really need to disable Session Fixation as metioned in the webpage above? Sounds like a bad idea.

Thanks
Sep 2nd, 2012, 09:48 AM
nvrs

This is a bad idea in general, not using SSL for your whole site makes you vunerable to various attacks (session hijack for starters) and also creates problems since a session marked as secure cannot be used without HTTPS.

http://static.springsource.org/sprin...-https-session
Sep 2nd, 2012, 08:26 PM
lilolme

I am doing the following in security.xml

<port-mappings>
<port-mapping http="80" https="443" />
<port-mapping http="8080" https="8443" />
</port-mappings>

<intercept-url pattern="/signin/**" access="permitAll" requires-channel="https" />
<intercept-url pattern="/signout/**" access="permitAll" requires-channel="http" />

This works in the simple case where user clicks on login (redirects to https) and stays in https until user logs out

However if a url is intercepted (because it is annotated as @Secured) the browser goes to login page but it fails when login form is submited. The browser remains on login page and keeps creating a new session (new jsessionid in url).
Sep 5th, 2012, 06:48 PM
lilolme

This should be a general problem. I would really like to know how others are handling it. If the problem is not
clear please let me know. In short using spring, when using https, intercepts to authenticate the user is failing.
Looks like its creating a new session each time.
Sep 11th, 2012, 02:34 AM
lilolme

I revisited this today and discovered something

The problem - authentication over SSL works using signin url but fails when used for an @Secured interception. It all works fine if its using http. So if I click on a link to page that requires auth it redirects to signin page in https but when signing in it fails and stays on same page but with new session id in the url each time.

Seems like session migration is the culprit

<session-management session-fixation-protection="migrateSession"/>


When I sent the session-fixation-protection to none. It works. Now the original session is used but I guesss my site will be vulnerable to session fixation attacks. It shouldnt be a problem in the short run but it would be good to address it.

So the question is why is @Secured failing over SSL with session-fixation-protection="migrateSession"? Any thoughts? Do I need to configure something to get session migration working?