jsf secure tranport mechanism

Question

i have been working on a simple jsf secure transport mechanism where the configured https constraints is set to confidential in web.xml.Now, what i wanted to do was to select a particular page for secure transport. i have a login page that takes me to another page.Login page takes a user name and password and should transport it over secure layer to an ejb that verifies its authenticity before it displays the requested page.Now when i use a url pattern like /faces/pageToView.xhtml for the requested page in web.xml, i get a funny behaviour i dont really understand.First, when i login, my pageToView.xhtml displays without the https and when i click to go to another pageToView2.xhtml my first pageToView.xhtml redisplays with https. Not only that all other pages i navigate to displays https even though i had not configure them for secure transport. I need to know the right way to configure secure transport behaviour for a particular page. Thanks in advance.

Answer 1

The way it seems to be is that when you go to https, and you're generally going to do this on the login page, you stay on https. It seemed to me to be a big overhead for an application with limited security requirements but on looking into it the consensus is that the big risk is session hijacking. So if you had 2 secure pages login & shopping and all the other pages don't use ssl they'll be sending the session cookie over the air/wire in the clear and the cookie could be sniffed.

I think that if you have an apache web server fronting your application server you have a lot more options such as using https between the client browser and apache for certain pages, but using http between apache and the app server. I'm fairly sure that you can do this but I'm no expert and haven't tried it.

When I was looking into this some time ago I came across this filter written by one of the Glassfish team which is supposed to downshift from https - http. My recollection is that having downshifted everything just stopped working, when used in conjunction with container security.

With a few tweaks you could adapt this to your environment, in this example the main.xhtml file is the welcome-file from web.xml, the idea being that this would be the page loaded on successful login so the earliest point at which to downshift from https - http. You'd need to uncomment @WebServlet, use your own logging in place of Log.log() and check any url/pathnames.

Before spending any time on this please remember that I could never get this to work and the the recommendation is to take the hit and use https all the time.

package uk.co.sportquest.jsfbeans.helper;

/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright 1997-2008 Sun Microsystems, Inc. All rights reserved.
 *
 * The contents of this file are subject to the terms of either the GNU General
 * Public License Version 2 only ("GPL") or the Common Development and
 * Distribution License("CDDL") (collectively, the "License"). You may not use
 * this file except in compliance with the License. You can obtain a copy of the
 * License at https://glassfish.dev.java.net/public/CDDL+GPL.html or
 * glassfish/bootstrap/legal/LICENSE.txt. See the License for the specific
 * language governing permissions and limitations under the License.
 *
 * When distributing the software, include this License Header Notice in each
 * file and include the License file at glassfish/bootstrap/legal/LICENSE.txt.
 * Sun designates this particular file as subject to the "Classpath" exception
 * as provided by Sun in the GPL Version 2 section of the License file that
 * accompanied this code. If applicable, add the following below the License
 * Header, with the fields enclosed by brackets [] replaced by your own
 * identifying information: "Portions Copyrighted [year] [name of copyright
 * owner]"
 *
 * Contributor(s):
 *
 * If you wish your version of this file to be governed by only the CDDL or only
 * the GPL Version 2, indicate your decision by adding "[Contributor] elects to
 * include this software in this distribution under the [CDDL or GPL Version 2]
 * license." If you don't indicate a single choice of license, a recipient has
 * the option to distribute your version of this file under either the CDDL, the
 * GPL Version 2 or to extend the choice of license to its licensees as provided
 * above. However, if you add GPL Version 2 code and therefore, elected the GPL
 * Version 2 license, then the option applies only if the new code is made
 * subject to such option by the copyright holder.
 */
import java.io.*;
import java.util.*;
import java.security.*;
import java.util.logging.Logger;
import javax.faces.context.FacesContext;
import javax.security.jacc.*;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.*;
import uk.co.sportquest.general.Log;

/**
 * Filter that downshifts from https to http if the given request came in over
 * https, but the target resource does not require any confidentiality
 * protection.
 *
 * @author jluehe
 * @author monzillo
 */

//@WebFilter(filterName = "CacheFilterStatic", urlPatterns = {"/faces/secure/main.xhtml"},
//    dispatcherTypes = {DispatcherType.FORWARD, DispatcherType.ERROR, DispatcherType.REQUEST, DispatcherType.INCLUDE})
public class MyFilter implements Filter {

    private static final CodeSource cs =
            new CodeSource(null, (java.security.cert.Certificate[]) null);
    private static final ProtectionDomain pd =
            new ProtectionDomain(cs, null, null, null);
//    private static final Policy policy = Policy.getPolicy();
    private static final Policy policy = Policy.getPolicy();
    private static final String httpPort = "8080";

    @Override
    public void init(javax.servlet.FilterConfig filterConfig)
            throws ServletException {

        //httpPort = filterConfig.getInitParameter("httpPort");
    }

    @Override
    @SuppressWarnings("static-access")
    public void doFilter(ServletRequest req, ServletResponse res,
            FilterChain filterChain)
            throws IOException, ServletException {

        if (req.isSecure()) {
            HttpServletRequest httpReq = (HttpServletRequest) req;
            Permission p = new WebUserDataPermission(httpReq);
            p = new WebUserDataPermission(p.getName(), httpReq.getMethod());
            //SQLog.log("Filter: " + httpReq.getRequestURI());
            boolean isTransportProtected = policy.implies(pd, p) ? false : true;
            Log.log();
            if (!isTransportProtected) {
                // Downshift from https to http, by redirecting to the 
                // target resource using http
                String redirectUrl = "http://" + req.getServerName() + ":"
                        + httpPort + httpReq.getRequestURI();
                String queryString = httpReq.getQueryString();
                if (queryString != null) {
                    redirectUrl += "?" + queryString;
                }
                //redirectUrl = "http://localhost:8080/SportQuest/faces/secure/main.xhtml";
                Log.log("url: " + redirectUrl);
                ((HttpServletResponse) res).sendRedirect(redirectUrl);
            } else {
                // Perform normal request processing
                Log.log("normal");
                filterChain.doFilter(req, res);
            }
        } else {
            // Perform normal request processing
            Log.log("even more normal");
            filterChain.doFilter(req, res);
        }
    }

    @Override
    public void destroy() {
        // Do nothing
    }
}