Hi all,
I have a question about SSL in J2EE. I would like to secure the access to web application by using HTTP authentication over SSL. I would like to keep most of the site in simple HTTP and use SSL only for the login page. Is it possible ? I read somewhere that the login/password are sent with each request because HTTP is stateless, so how can I only secure the login page page ?
-
SSL (3 messages)
- Posted by: Web Master
- Posted on: June 14 2004 06:01 EDT
Threaded Messages (3)
- SSL by Paul Strack on June 14 2004 11:04 EDT
- SSL by Web Master on June 16 2004 08:55 EDT
- SSL by Paul Strack on June 16 2004 01:05 EDT
- SSL by Web Master on June 16 2004 08:55 EDT
-
SSL[ Go to top ]
- Posted by: Paul Strack
- Posted on: June 14 2004 11:04 EDT
- in response to Web Master
I have a question about SSL in J2EE. I would like to secure the access to web application by using HTTP authentication over SSL. I would like to keep most of the site in simple HTTP and use SSL only for the login page. Is it possible? I read somewhere that the login/password are sent with each request because HTTP is stateless, so how can I only secure the login page page?
Assuming your server is configured to support SSL, you can control encryptions on your pages by using the "https://" prefix to all your URLs instead of "http://". Simply ensure that all links to your login page use "https://" to switch on SSL. Once the logic is complete, ensure that all the links leaving the login page are prefixed by "http://" to switch off SSL.
As for userid/password being passed, it depends on how you implement your login. If you use HTTP Basic Authentication, then the userid/password will be passed for every request. If you use HTTP Basic Authentication, the only safe thing to do is to encrypt the entire site ("https://" for everything).
If you use some other login mechanism (form-based or session-based security), this is not necessary the case, and it may be safe to encrypt just the login page. -
SSL[ Go to top ]
- Posted by: Web Master
- Posted on: June 16 2004 08:55 EDT
- in response to Paul Strack
Ok, thank you for your reply. But dosen't the form based authentication use HTTP authentication too? In this case, I have to use SSL for the whole site, don't I? -
SSL[ Go to top ]
- Posted by: Paul Strack
- Posted on: June 16 2004 13:05 EDT
- in response to Web Master
Doesn't the form based authentication use HTTP authentication too? In this case, I have to use SSL for the whole site, don't I?
Form based authentication passes back and forth a session id instead of the userid and password itself. This session id is only valid for a short period of time (typically a couple hours).
In theory, a hacker could intercept the session id and use it to access the site but (a) this is hard and (b) at worst the hacker would only have temporary access.
If this temporary access is still a concern, use SSL for everything. For example, system administration or any application involving monetary accounts should be 100% encrypted.