SSL

Discussions

General J2EE: SSL

  1. SSL (3 messages)

    Hi all,
    I have a question about SSL in J2EE. I would like to secure the access to web application by using HTTP authentication over SSL. I would like to keep most of the site in simple HTTP and use SSL only for the login page. Is it possible ? I read somewhere that the login/password are sent with each request because HTTP is stateless, so how can I only secure the login page page ?

    Threaded Messages (3)

  2. SSL[ Go to top ]

    I have a question about SSL in J2EE. I would like to secure the access to web application by using HTTP authentication over SSL. I would like to keep most of the site in simple HTTP and use SSL only for the login page. Is it possible? I read somewhere that the login/password are sent with each request because HTTP is stateless, so how can I only secure the login page page?
    Assuming your server is configured to support SSL, you can control encryptions on your pages by using the "<a href="https://" "="" rel="nofollow">https://" prefix to all your URLs instead of "<a href="http://" "="" rel="nofollow">http://". Simply ensure that all links to your login page use "<a href="https://" "="" rel="nofollow">https://" to switch on SSL. Once the logic is complete, ensure that all the links leaving the login page are prefixed by "<a href="http://" "="" rel="nofollow">http://" to switch off SSL.

    As for userid/password being passed, it depends on how you implement your login. If you use HTTP Basic Authentication, then the userid/password will be passed for every request. If you use HTTP Basic Authentication, the only safe thing to do is to encrypt the entire site ("<a href="https://" "="" rel="nofollow">https://" for everything).

    If you use some other login mechanism (form-based or session-based security), this is not necessary the case, and it may be safe to encrypt just the login page.
  3. SSL[ Go to top ]

    Ok, thank you for your reply. But dosen't the form based authentication use HTTP authentication too? In this case, I have to use SSL for the whole site, don't I?
  4. SSL[ Go to top ]

    Doesn't the form based authentication use HTTP authentication too? In this case, I have to use SSL for the whole site, don't I?
    Form based authentication passes back and forth a session id instead of the userid and password itself. This session id is only valid for a short period of time (typically a couple hours).

    In theory, a hacker could intercept the session id and use it to access the site but (a) this is hard and (b) at worst the hacker would only have temporary access.

    If this temporary access is still a concern, use SSL for everything. For example, system administration or any application involving monetary accounts should be 100% encrypted.