Loosing SecureContext When Switching https to http

**sklakken** · Jul 21st, 2005, 02:56 PM

This post is a continuation of the following posting that contains log files and the original post:

http://forum.springframework.org/showthread.php?t=16601

After extensively looking into the problem, I've narrowed it down to the fact that I am loosing my SecureContext when logging with https and then switching to an http page. I'm still not sure how to solve this problem. Any suggestions and/or references to a logon screen using https examples and an .xml file and code would be great!

Thanks,
Scott

**Luke Taylor** · Jul 21st, 2005, 04:29 PM

Ok. It would have been helpful if you had mentioned this to start with (or indeed given any other configuration info - container, version etc.).

The likelihood is that your container (apparently Tomcat) isn't preserving session state across a transition from HTTPS to HTTP and therefore when you try to access a protected resource it is forcing you to reauthenticate. That has certainly been the case in past versions - there may be some way of overriding it now. I believe this is a deliberate design decision as once the session info has been transmitted in the clear, it can be hijacked by an attacker and the benefit of logging in over HTTPS is lost. This is seen as being too big a security hole to risk. You may argue that the functionality of your app isn't as important as the risk of eavesdropping the user's credentials, but I would still guess that's what's causing your problem. In fact your debug log points to the actual session being lost at one point which would back this up.

**Luke Taylor** · Jul 21st, 2005, 06:40 PM

Here's a further post I found on the subject:

http://www.mail-archive.com/tomcat-u...msg151756.html

**sklakken** · Jul 25th, 2005, 09:22 AM

Luke, thank you very much for you post, as I found an easy workaround for Tomcat's security issue. Basically, what I did was default the site to http://.../index.html and performed a redirect to the login.htm page like so:

web.xml:

Code:

  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
  </welcome-file-list>

index.html

Code:

<html>
  <head>
    <script>
      function redirect&#40;&#41; &#123;
        window.location="logon.htm";
      &#125;
    </script>
  </head>  
  <body onload="redirect&#40;&#41;">
  </body>
</html>

In making this configuration, I am able to start the session in http thereby allowing me to keep my session context.

Also, Sorry I didn't get you all the information initially. Please understand sometimes it's not evident as to what's revelant. I'll try to be more through in the future, however, as I do appreciate your support and want to make posting as easy as possible to evaluate.

Thanks again!

**crbaker** · Aug 28th, 2006, 01:31 AM

An alternative is to change the RetryWithHttpEntryPoint used by the InsecureChannelProcessor to add "jsessionid=" to the end of all redirections from HTTPS to HTTP.

Code

Code:

/**
 * Overrides implementation to handle HTTPS to HTTP issue with tomcat. Tomcat will not pass secured cookie
 * to unsecured channel so session is lost when transitioning from HTTPS to HTTP.
 * @author Craig Baker
 * @version $Id$
 */
public class TomcatRetryWithHttpEntryPoint extends RetryWithHttpEntryPoint
{
    private static final Log logger = LogFactory.getLog(TomcatRetryWithHttpEntryPoint.class);
    
    private PortMapper portMapper = new PortMapperImpl();
    private PortResolver portResolver = new PortResolverImpl();
    
    public void commence(ServletRequest request, ServletResponse response)
            throws IOException, ServletException
    {
        HttpServletRequest req = (HttpServletRequest) request;

        String pathInfo = req.getPathInfo();
        String queryString = req.getQueryString();
        String contextPath = req.getContextPath();
        String destination = req.getServletPath()
                + ((pathInfo == null) ? "" : pathInfo)
                + ((queryString == null) ? "" : ("?" + queryString));

        String redirectUrl = contextPath;

        Integer httpsPort = new Integer(portResolver.getServerPort(req));
        Integer httpPort = portMapper.lookupHttpPort(httpsPort);

        if (httpPort != null)
        {
            boolean includePort = true;

            if (httpPort.intValue() == 80)
            {
                includePort = false;
            }

            redirectUrl = "http://" + req.getServerName()
                    + ((includePort) ? (":" + httpPort) : "") + contextPath
                    + destination;
            
            // Add jsession id to end of redirection URL
           if (req.getSession(false) != null)
            {
                redirectUrl = redirectUrl + ";jsessionid=" +  req.getSession(false).getId();
            }
        }


        if (logger.isDebugEnabled())
        {
            logger.debug("Redirecting to: " + redirectUrl);
        }
        

        ((HttpServletResponse) response)
                .sendRedirect(((HttpServletResponse) response)
                        .encodeRedirectURL(redirectUrl));
    }
}

Thread: Loosing SecureContext When Switching https to http

Thread Tools

Display

Loosing SecureContext When Switching https to http

alternative solution

Similar Threads

Spring HTTP Invoker and HTTP Forwarding Proxy

Loosing my SecureContext

Rich client + httpInvoker + SecureContext propagation prob

channelProcessingFilter, https -> http redirection proble

A valid SecureContext was not provided in the RequestContext

Posting Permissions