how to force use of HTTP

Hi. There is lots of documentation about how to require http for a
section of the website (using security-constraint and CONFIDENTIAL in
the WEB-INF/web.xml file). But how to force certain pages to use
http?

Scenario 1: User logs in to http:8080://localhost/index.html which is
not not secure. They click the login button and are directed to the
login page which is in the https section of the website. After
logging in they click the logout button which performs a
session.invalidate() and sends them back to /index.html. However, the
URL says https:8443://localhost/index.html.

Scenario 2: The user logs in as above. They click the link to go back
to the home page. Only difference with above scenario is that they
haven't logged out though. The URL is secure, namely https:8443://
localhost/index.html.

Scenario 3: The user opens a browser and types https:8443://localhost/
index.html and they view the page over SSL. By contrast, I just tried
https://finance.yahoo.com and it does not find the web page, and
https://www.pge.com asks if you want to accept the certificate and
after clicking Yes changes the URL to http.

Re: how to force use of HTTP

On Sat, 13 Oct 2007 01:34:08 +0200, wrote:

> Hi. There is lots of documentation about how to require http for a
> section of the website (using security-constraint and CONFIDENTIAL in
> the WEB-INF/web.xml file). But how to force certain pages to use
> http?
>
> Scenario 1: User logs in to http:8080://localhost/index.html which is
> not not secure. They click the login button and are directed to the
> login page which is in the https section of the website. After
> logging in they click the logout button which performs a
> session.invalidate() and sends them back to /index.html. However, the
> URL says https:8443://localhost/index.html.

I'd say that when you use a header redirect, you can (and should according
to the specs) easily give the full protocol/domain.

> Scenario 2: The user logs in as above. They click the link to go back
> to the home page. Only difference with above scenario is that they
> haven't logged out though. The URL is secure, namely https:8443://
> localhost/index.html.

As it should be, or not?

> Scenario 3: The user opens a browser and types https:8443://localhost/
> index.html and they view the page over SSL. By contrast, I just tried
> https://finance.yahoo.com and it does not find the web page, and
> https://www.pge.com asks if you want to accept the certificate and
> after clicking Yes changes the URL to http.

A https portion of a site may or may not be configured, may or may not
point to the same document root, and further processing may or may not
cause a redirect which alters the connection you are using.

So, in short:
Header redirect should always be with fully qualified urls.

To force a user to one or another connection, I have been known to abuse
mod rewrite, checking wether the %HTTPS% is 'on' (or 'off'), and
redirecting to protocol://domain/ if it was not the desired
one.

--
Rik Wasmus

Re: how to force use of HTTP

On Oct 16, 8:28 am, "Rik Wasmus" wrote:
> On Sat, 13 Oct 2007 01:34:08 +0200, wrote:

> I'd say that when you use a header redirect, you can (and should according
> to the specs) easily give the full protocol/domain.

Indeed, the code in my /protected/dologout.jsp page is


<%session.invalidate();%>
<%response.sendRedirect("../loggedout.html");%>

Where do the specs say to use the fullly qualified URL? The following
URL does not say this, and in fact says you can use site root and
relative paths:

http://java.sun.com/javaee/5/docs/api/javax/servlet/http/Htt pServletResponse.html#sendRedirect(java.lang.String)


> > Scenario 2: The user logs in as above. They click the link to go back
> > to the home page. Only difference with above scenario is that they
> > haven't logged out though. The URL is secure, namely https:8443://
> > localhost/index.html.
>
> As it should be, or not?

No. The files in my site root like /index.html and /loggedout.html
are not secure. They don't display sensitive information, so there's
no need to use https, which uses up CPU power on the server and client
to encrypt data. So for these files I want to force the use of http.
It's only the files in /protected/* that need to use https. While
browsing files on amazon.com for example, the products pictures and
all are unprotected. Protecting them with https would be expensive.
It's only the check out process and possibly the shopping cart that
needs to be in https.

> So, in short:
> Header redirect should always be with fully qualified urls.

Another problem with using fully qualified URLs is that I have to put
the port number and domain name as in "http://localhost:8080/
loggedout.html". But what if the domain name and port number change
in production (say from localhost to mycompany, and 8080 to 80)? That
would mean changing the source code, which is a pain and error prone
too.

> To force a user to one or another connection, I have been known to abuse
> mod rewrite, checking wether the %HTTPS% is 'on' (or 'off'), and
> redirecting to protocol://domain/ if it was not the desired
> one.

That's an idea. Did you use the request and response object to
achieve this, and Is it a best practice (I ask as you used the word
"abuse")? If it is not a best practice, how to achieve this?

Re: how to force use of HTTP

On Oct 16, 7:28 am, "Rik Wasmus" wrote:

> To force a user to one or another connection, I have been known to abuse
> mod rewrite, checking wether the %HTTPS% is 'on' (or 'off'), and
> redirecting to protocol://domain/ if it was not the desired
> one.

Don't know about mod_rewrite, but I accomplished the same using
filters. If the incoming request is https but to an unsecure page,
then call response.sendRedirect(URL with http instead). It seems to
work so far.