JEE Web - Switching from HTTPS to HTTP depending on resource

Question

Using only standard JEE API (JAAS, Servlet API, JSF) How can I switch back from a CONFIDENTIAL channel to a Unsecured one?

In my example I already managed to switch from an Unsecured channel to a Secured one for the resources in "*/secured/**", but I'm in need to switch back to an unsecured channel after a successful Authentication as the only resource I want to send through HTTPS are login attempts, everything else is not sensitive.

I wish to reduce the amount of code needed for this and also to plague the app with URLs like

• (unsecure protocol | secure protocol)://myserver(:unsecured | :secured ports)/Mycontext...

Any ideas or links?

So far this is working in Weblogic 10 but should work with JBoss or GlassFish without jumping many hoops.

---

I have the following Security constraints in web.xml

<security-constraint>
     <display-name>Registro Defectos</display-name>
     <web-resource-collection>
      <web-resource-name>forum</web-resource-name>
      <url-pattern>/forum/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
      <role-name>Capturista</role-name>
     </auth-constraint>
     <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
     </user-data-constraint>
    </security-constraint>
    <security-constraint>
     <display-name>secure-channel</display-name>
     <web-resource-collection>
      <web-resource-name>secure resources</web-resource-name>
      <url-pattern>/secure/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
      <role-name>Anonymous</role-name>
      <role-name>Capturista</role-name>
     </auth-constraint>
     <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
    </security-constraint>
    <security-constraint>
     <web-resource-collection>
      <web-resource-name>forum</web-resource-name>
      <url-pattern>/forum/*</url-pattern>
     </web-resource-collection>
     <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
     </user-data-constraint>
    </security-constraint>
    <login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
      <form-login-page>/secure/login.faces</form-login-page>
      <form-error-page>/loginerror.faces</form-error-page>
     </form-login-config>
    </login-config>
    <security-role>
     <role-name>Capturista</role-name>
    </security-role>

Answer 1

Hi i have similiar problem. i am using weblogic 10.3

in the above example you mentioned, i have a requirement something like:

suppose in your jsp in /secure folder, say /secure/protected.jsp, you have a link to jsp in /forum folder, say /forum/unprotected.jsp

then once u r on protected,jsp, ur browser would be using https because of transport gurantee as CONFIDENTIAL and wen u clik on the link for unprotected.jsp there, the browser should go to http because of transport gurantee as NONE.

I am using to provide a link for this jsp.

but it is not goin to http although in web.xml transport gurantee is mentioned to be NONE for /forum/* URLs. any suggestions for the same.