1 2 3 Previous Next 32 Replies Latest reply: Mar 26, 2010 9:25 AM by 739930 RSS

    Redirect from HTTPS to HTTP on Tomcat 4 problem

    843835
      Hello friends,
      Desperate to solve this problem, have searched this forum all over, but haven't found the answer.
      I have a typicall senario:
      1. Login page secured with HTTPS.
      2. On valid login the response is redirected to HTTP (not secure) page.

      But the redirect caused the session to be lost. I'm using Tomcat 4. Is it Tomcat's bug? How to solve this simple problem? Anyone have done this before?

      Thanks a lot to anyone who replies.
        • 1. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
          843835
          I'm sorry to bother you as I'm afraid I don't anything about re-directing from HTTPS to HTTP on Tomcat4, however you had a query which you posted last year. There were no replies but I have the exact same problem and I was wondering if you managed to solve the problem.

          Your problem concerned trying to define a servlet in JRun. You were getting an error message....

          Cannot save local.properties in default|myappName:
          Cannot write to directory null.

          Was there a way to fix this from within the JMC?
          Please help.
          • 2. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
            843835
            hm, i do not have a solution but typically you don't do a secure login and then redirect to an insecure page. the normal scenario is to log into a secure page and stay secure. as far as i know HTTPS establishes its own kind of session which might be connected to the servlet session somehow. if that is the case then it's clear, that the HTTPS session is lost when you switch over to HTTP.

            what could work is to have an initial page with HTTP, which creates a session (creating a cookie on in the browser or switching to URL rewriting) and only after that switch to HTTPS (and maybe switch back).

            i guess you'll have to try out. sorry.

            robert
            • 3. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
              843835
              Thanks, I'll try your suggestion.
              But I would argue that once secure, you have to stay secure all the time. Login page can be secure to protect username/password, the rest of the site (if not too critical) can be http, to increase performance, and lower response time.

              Thank you for replying!
              • 4. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
                843835
                Robert, Brilliant!
                It works.
                • 5. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
                  843835
                  Robert, Brilliant!
                  thank you!
                  It works.
                  so you now have an initial HTTP page that creates the session and then go over to the HTTPS page for login?

                  great that i could help you in spite of my limited knowledge on the matter.

                  regards

                  robert
                  • 6. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
                    843836
                    Hi Robert,
                    I hope you're still watching this topic...

                    I have the same problem you described, but I can't understand your solution...

                    My scenario is a web application running over Tomcat 4.1.24.
                    I'm "protecting" it using form-based authentication, so each time I require a resource in my webapp
                    I get redirected to the login page (if I'm not already logged on..):
                    (in web.xml)
                    <login-config>
                        <auth-method>FORM</auth-method>
                        <form-login-config>
                            <form-login-page>/login.jsp</form-login-page>
                            <form-error-page>/notallowed.jsp</form-error-page>
                        </form-login-config>
                    </login-config>
                    The login jsp is under SSL:
                    (in web.xml)
                    <security-constraint>
                        <web-resource-collection>
                            <web-resource-name>Entire Application</web-resource-name>
                            <url-pattern>/login.jsp</url-pattern>
                        </web-resource-collection>
                        <auth-constraint>
                            <role-name>*</role-name>
                        </auth-constraint>
                        <!-- Define SSL access to login form -->
                        <user-data-constraint>
                            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                        </user-data-constraint>
                    </security-constraint>
                    How can I manage this situation like you did with your...

                    Thanx!
                    • 7. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
                      843836
                      Hello,

                      Could you please let us know how did you keep the session information when you switch your connection from HTTP to HTTPS ? I met a similar problem. I enter a jsp with HTTP request and create a session in that jsp, then I constrcut a HTTPS url (for a protect page) and redirect to that new created url. In the protected page, I lost the session created before.

                      Thanks .... Di
                      • 8. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
                        843836
                        One way to maintain the session in Tomcat, when the session cookie is getting created in SSL mode is to trick the browser by creating the non-secure cookie, when the secure cookie is getting created. To do that, we need to create an request wrapper as below:

                        public class MyRequestWrapper extends HttpServletRequestWrapper
                        {
                        private HttpServletResponse response = null;
                        public MyRequestWrapper(HttpServletRequest request) {
                        super(request);
                        }
                        public void setResponse(HttpServletResponse response) { this.response = response;}

                        public HttpSession getSession()
                        {
                        HttpSession session = super.getSession();
                        processSessionCookie(session);
                        return session;
                        }

                        public HttpSession getSession(boolean create)
                        {
                        HttpSession session = super.getSession(create);
                        processSessionCookie(session);
                        return session;
                        }

                        private void processSessionCookie(HttpSession session)
                        {
                        if (null == response || null == session) {
                        // No response or session object attached, skip the pre processing
                        return;
                        }
                        // cookieOverWritten - Flag to filter multiple "Set-Cookie" headers
                        Object cookieOverWritten = getAttribute("COOKIE_OVERWRITTEN_FLAG");
                        if (null == cookieOverWritten && isSecure() && isRequestedSessionIdFromCookie() && session.isNew()) {
                        // Might have created the cookie in SSL protocol and tomcat will loose the session
                        // if there is change in protocol from HTTPS to HTTP. To avoid this, trick the browser
                        // using the HTTP and HTTPS session cookie.
                        Cookie cookie = new Cookie("JSESSIONID", session.getId());
                        cookie.setMaxAge(-1); // Life of the browser or timeout
                        String contextPath = getContextPath();
                        if ((contextPath != null) && (contextPath.length() > 0)) {
                        cookie.setPath(contextPath);
                        }
                        else {
                        cookie.setPath("/");
                        }
                        response.addCookie(cookie); // Adding an "Set-Cookie" header to the response
                        setAttribute("COOKIE_OVERWRITTEN_FLAG", "true");// To avoid multiple "Set-Cookie" header
                        }
                        }

                        }

                        Attach this wrapper using the Filter below:

                        public final class TestFilter implements Filter
                        {
                        public void doFilter(ServletRequest request,
                        ServletResponse response,
                        FilterChain chain)
                        throws IOException, ServletException
                        {
                        MyRequestWrapper myrequest = new MyRequestWrapper(request);
                        myrequest.setResponse(response);
                        chain.doFilter(myrequest, response);
                        }
                        }

                        And, the last step is to configure this filter in the web.xml.

                        This might keep the session information. Hope this will help. I had the same problem and i fixed using the above logic.

                        -Cabir
                        • 9. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
                          843836
                          Cabir: Thanks, but I have problems with your approach.

                          When I try to compile your code, I get the following issue:

                          In TestFilter, you work with ServletRequest, but then you try to construct a MyRequestWrapper which takes an HttpServletRequest. The relationship is ancestor and won't work. How do I proceed? thanks
                          • 10. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
                            843836
                            Hi EugeneBorodkin,

                            Please cast the ServletRequest to HttpServletRequest and this will fix the compilation error.

                            MyRequestWrapper myrequest = new MyRequestWrapper((HttpServletRequest)request);

                            Let me know if you have any other questions about this approach. You can email me at zcabir@yahoo.com

                            Good Luck.
                            • 11. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
                              843836
                              I came accross this example and I think I need something very similar. However, after implementing it, I put sosme system.outs in it and am struggling now... The doFilter is definitely getting hit, but the processSessionCookie in the wrapper is never getting hit, meaning that the getSession() isnt ever being called. Where is this called from?
                              • 12. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
                                843836
                                Please check that you are using the following wrapper in the doFilter() method of the Filter.

                                MyRequestWrapper myrequest = new MyRequestWrapper(request);
                                myrequest.setResponse(response);

                                processSessionCookie() will be called only if this wrapper is setup. Also, please make sure that this filter at the top level, meaning that if you have some other filter definition for the same action may overwrite.

                                Alternatively, you can check the request wrapper is setup properly or not by printing the request in the JSP or action class.

                                <% System.out.println(request); %>
                                • 13. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
                                  843836
                                  Thanks, it works !
                                  • 14. Re: Redirect from HTTPS to HTTP on Tomcat 4 problem
                                    843836
                                    Thanks zcabir!

                                    I got the filter and the request wrapper working!

                                    But, I'm wondering if you can give me any pointers on clever ways to redirect to the http pages from an http page inside the jsps (now that the session cookies are still intact). I'd like to not have to hard code URLs in to anything if I can avoid it.
                                    1 2 3 Previous Next