Member
Only j_spring_security_check in https
Hi, I would like to show login page in http and then post j_password and j_username fields in https to j_spring_security_check action.
I would like this scenario just to avoid j_password field travelling "in clear" in post http, but I dont want to have also login page in https because I have a login form always present in the header of the web site, and I dont wanna to have all my web site in https.
Any suggestion?
Thanx
Max
Member
You can set different channels depending on the URL see part of my "applicationContext-security.xml" config:
See how above my login page requires channel "HTTP" and my check action requires channel "HTTPS"Code:<http auto-config='true'> <port-mappings><port-mapping http="8080" https="8443"/></port-mappings> <intercept-url pattern="/index.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/simpleform.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/loginform.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="http"/> <intercept-url pattern="/j_spring_security_check" requires-channel="https"/> <intercept-url pattern="/**" access="ROLE_USER" /> <form-login login-page='/loginform.htm' authentication-failure-url="/loginForm.jsp?login_error=1" default-target-url="/index.jsp" always-use-default-target="true"/> <logout logout-url="/j_spring_security_logout" logout-success-url="/index.jsp"/> </http>
Also, I tried this and it should work, but because I do not have an SSL license it won't work (As far as I know). So make sure you have an SSL license to make sure it will work.
Last edited by markabrucey; Aug 30th, 2011 at 03:13 AM.
Member
Hi Mark, I've tryied your suggestion, but if you try to inspect ( with httpfox firefox plugin, for example ) the http call from the login page, you'll see that Sprong Security makes a redirect 302 from http (login page ) to https ( j_spring_security_check ) and you can see submitted password in clear into the firefox plugin.
I would like to avoid this isssue
Max
Member
I see, It seems odd because logic to me would suggest that it would have the login page as HTTP and the post the information over HTTPS =/
What about trying this script within your login page JSP:
then adding it to onSubmit of your login form:Code:<script type="text/javascript" language="javascript"> function forceHttpsOnSubmit(objForm) { objForm.action = objForm.action.replace("http:", "https:").replace("localhost:8080","localhost:8443"); } </script>
The only problem with this method is it won't work if the user has java script disabled.Code:<form action="/j_spring_security_check" method="POST" onsubmit="forceHttpsOnSubmit(this)">
Last edited by markabrucey; Aug 30th, 2011 at 04:16 AM.
Member
Tryed your suggestion but I still see my password in HttpFox
IMHO this happens because the start protocol is http.
I hope to be mistaken, but I'm afraid that the only solution is to expose also the login form in https.
Any other idea ?
Member
I was thinking this also. I would have suggested making the login page conform to HTTPS, but it unfortunately is not what your looking for. There must be a work around, but since I am new to Spring Security and Spring in general, I cannot provide you with such work around, hopefully someone with more experience will reply soon
Sorry I cannot further assist you, but if I think of anything, I'll be sure to let you know!
EDIT: One thing you could try is to set the requires-channel of the login page to:
I think from what i have read, "any" just uses the most appropriate protocol at the time. Although I believe it will likely make the login page HTTPS which is not what your after.Code:requires-channel="any"
Last edited by markabrucey; Aug 30th, 2011 at 04:58 AM.
Member
Is the DigestAuthenticationFilter useful to you?
Here is the link:Digest Authentication attempts to solve many of the weaknesses of Basic authentication, specifically by ensuring credentials are never sent in clear text across the wire.
http://static.springsource.org/sprin...nce/basic.html
Member
I'll dig into documentation and for sure I'll give to it a try!
Anyway I think that this filter will encrypt password server side, but from the html page to the server password still will travel in clear.
Maybe this filter is an option to protect credentials across the wire if you dont wanna use https protocol.
Many thanx for this advice .... stay tuned for update about this issue
Max
Last edited by MaxVanL00N; Aug 31st, 2011 at 02:04 AM.
Member
After "long and painful hillness" I decided to put the login box into an https iframe. So that all my web site will be in http except the login box in https. In such scenario I hope that posted password will be not visible
Member
Oh, sounds promising!
I hope it works as you need it to, good luck!
Posting Permissions
Reply With Quote
