It all started when I got a "This page contains both secure and nonsecure items" when accessing my JSF application using HTTPS in IE on a Windows XP machine. Note that everything works perfectly using HTTP.
Now I know that message normally means that somewhere something is accessing via http instead of https, but all of the data comes from my local app server, so why IE was complaining I did not know. I then tried Firefox and (although it has other issues...like images that don't show up) it did not have this problem (and resports everything coming back is from an HTTPS connection).
I then tried accessing the same app using a Windows 2003 Server machine using IE. This time, not only did I get the message about the secure and nonsecure content, I also did not get any images back that I load from a servlet. Inspecting the app server log I see this:
[#|2005-06-22T12:50:42.807-0500|SEVERE|sun-appserver-pe8.0.0_01|org.apache.tomcat.util.net.PoolTcpEndpoint|_ThreadID=16;|Handshake failedjavax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? at com.sun.net.ssl.internal.ssl.InputRecord.b(DashoA12275) at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:118) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:534) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:647) at java.lang.Thread.run(Thread.java:534)|#]
The next thing I did was go back to the Windows XP machine running IE and set the properties in IE to enable the display of mixed content to get rid of the message about secure and nonsecure items.
Now visiting the JSF app the message box is no longer displayed but a side effect (a very bad side effect) takes place!
For some reason, with the option set this way, the session bean cannot be located and my filter kicks me back to the login page! This happens for every page except the first one after the signon page. So, if I click on something on page two (with page one being the logon page) that sends me to another page, the filter catches it since it cannot find the session bean and assumes that the user's session timed out, and redirects them to the login page.
This works fine when the "Display mixed content" is not enabled.
Note that I have not purchased an SSL certificate, but one must have been generated for me by the Sun App Server.
Anyway, I have three questions:
1) Why the message to begin with?
2) Why does running IE on Windows 2003 cause the Unrecognized SSL error?
3) Why would enabling mixed mode display wax my session bean?