Tomcat FORM authentication - login form not coming up as https

Question

This is driving me nuts.

I'm using Tomcat 6, declaritive authentication, form based. No framework involved. Everything works ok - some pages authenticated, some not, some use https, some http. Everything as I want it. EXCEPT...

I want the login page to always use https.

The login page comes up nicely as https if: a) I go to it directly in the browser. b) I click on a page in the application that is configured for https (and requires authentication).

BUT the login page comes up as http if: a) I click on a page in the application that is configured for http (and requires authentication).

I've a feeling I'm up against some sort of accepted default here and that an answer might be "why would you want an https login to get to a non-https page?". Its like this: a) I want passwords to be encrypted. b) I want users to login to show which role (group) they belong to in order to enable/disable parts of the web site. c) I dont want a drop in performance due to https except where absolutely necessary.

I guess if the login page is forced to be https (like I want it to be) then there has to be a mechanism to put it back to http.

If anyone has some pointers/ideas around this whole area I'd be very very greatful.

web.xml fragments:

<security-constraint>
    <display-name>Security Constraint A0S1</display-name>
    <web-resource-collection>
        <web-resource-name>A0S1</web-resource-name>
        <url-pattern>/login/*</url-pattern>
    </web-resource-collection>

    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>    
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login/form_login.jsp</form-login-page>
        <form-error-page>/login/error.jsp</form-error-page>
    </form-login-config>
</login-config>

Answer 1

This was about ensuring login page is https even when the page requiring authentication is not set as CONFIDENTIAL in web.xml.

I've ended up writing a little servlet that allows me to switch to https (or http) rather than rely on web.xml CONFIDENTIAL config settings. The CONFIDENTIAL settings dont seem to work when you arrive at a jsp page through the login or through another servlet.

So now the config for the FORM authentication in web.xml points to a servlet (SSLSwitch) which takes a couple of arguments (url + desired protocol http/https) and redirects to the actual login page with https: /SSLSwitch?the_url=/login/form_login.jsp&the_target=https; /login/error.jsp

SSLSwitch Servlet active code fragment: String contextPath = request.getContextPath(); String encodedUrl = response.encodeURL(contextPath + url); String fullUrl = target_domain + encodedUrl; response.sendRedirect(fullUrl);

The jsp login page itself follows the usual FORM login rules (action="j_security_check") and you end up on the requested page after login ok.

I now need to look at what I can do to improve session security after switching from https to http. Maybe a filter to check user's IP doesnt change during a session.

Steven.