Tuesday, January 17, 2006

Secure only login page

Web applications that do not use SSL to protect all their resources run faster than the ones that do. However, passing sensitive information about the users (user id's and passwords) over the network unencrypted is not a fair trade for improving performance. The best way is to protect only the login page and leave the rest of the pages unencrypted, that is if you do not have to encrypt each and every user transaction. In this way you will be able to successfully implement authentication and authorization on your web application without significantly impacting performance.
J2EE based web application can use container provided features to protect only certain pages of the application with SSL and leave the rest unencrypted. This is done by placing a security constraint (in the web deployment descriptor) on the specific page (login.jsp) and add a user-data-constraint to it. The user-data-constraint element contains a single required child element transport-guarantee. Assigning a value of CONFIDENTIAL to this element will enable secure transport for the selected resource. The following table shows the security constraint definition in the web deployment descriptor.
Posted by at
Labels: ,

1 comment:

  1. AnonymousMonday, March 17, 2008 at 5:38:00 PM EDT

    Hi,

    The only problem is when other resources are protected and the login.jsp form is invoked, the URL does not changed to login.jsp, but remains with the original resource we need to protect.
    Therefore no SLL is enforced on the login page, since the URL never changes to login.jsp.

    Do you have any solution?

    ReplyDelete

Subscribe to: Post Comments (Atom)

Popular Posts

  • Using Quartz Scheduler in a cluster
    In a previous post, I described how to use Quartz scheduler for scheduling . In this post, I describe the configuration changes required for...
  • Unit Testing with JUnit 4.0
    JUnit 4 introduces a completely different API to the older versions. JUnit 4 uses Java 5 annotations to describe tests instead of using in...
  • Implementing JMS with Spring: Messaging Client
    Last week, I described how to implement JMS, using a stand-alone client and a Message Driven Bean . In this post and the next, I will descr...
  • Deploy Java Web Application on Heroku with Heroku CLI
    This post will describe how to create and deploy a Java Web Application war to Heroku using Heroku CLI. You will need a basic understanding ...
  • Merge PDF files with iText
    New posts with iText 5.5.12 Following are two new posts for PDF Merge with iText 5.5.12 Merge PDF files using iText 5 Merge and Paginate PDF...
  • Implementing JMS with Spring: Message Driven POJO
    The previous post described how to implement a JMS messaging client using Spring JMS . This post will describe how to implement the Message ...
  • Merge PDF files using iText 5
    This is an example code for a simple PDF merge using iText 5. We use three InputStream s in a List as input and merged file is written to th...
  • Struts 2: Validation
    Update: A new post for validation in struts with annotation is available at: Struts 2 Validation: Annotations . Struts 2.0 relies on a val...
  • Merge and Paginate PDF files using iText 5
    In this post we will see a way to merge multiple PDF files while adding page numbers at the bottom of each page in the format Page 1 of 10 ....
  • Pagination with DisplayTag
    Displaytag is an opensource tag library that can be used to display tables on JSPs. Apart from being able to display tables, the displaytag...