java - Spring Security 3.1.0 - Cannot switch from HTTPS to HTTP -

-


java - Spring Security 3.1.0 - Cannot switch from HTTPS to HTTP -

i new spring security, made little webapp in order seek , find configuration useful project working on. forcing login page accessed via https, , need switch http after logging in. in other words:

login page: https only other pages: http only

i tried several ways cannot create work said above. read spring security faq , see there no "natural" way of doing want, have been asked so, hence need workaround cannot find myself.

i using spring security 3.1.0. web container tomcat 6.0.33.

this spring security configuration:

class="lang-xml prettyprint-override"><?xml version="1.0" encoding="utf-8"?> <beans xmlns:sec="http://www.springframework.org/schema/security" xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <sec:http auto-config="true" use-expressions="true"> <sec:intercept-url pattern="/log*.htm" access="anonymous" requires-channel="https" /> <sec:intercept-url pattern="/admin/**" access="hasrole('admin')" requires-channel="http" /> <sec:intercept-url pattern="/**" requires-channel="http" access="hasrole('authenticated')" /> <sec:form-login login-page="/login.htm" default-target-url="/index.htm" authentication-failure-url="/login.htm?error=true" always-use-default-target="true" /> <sec:logout logout-url="/logout.htm" delete-cookies="jsessionid" invalidate-session="true" /> <sec:anonymous/> <sec:remember-me use-secure-cookie="true" /> </sec:http> <sec:authentication-manager> <sec:authentication-provider> <sec:user-service> <sec:user name="johnny" password="johnny" authorities="authenticated, admin" /> <sec:user name="charlie" password="charlie" authorities="authenticated" /> </sec:user-service> </sec:authentication-provider> </sec:authentication-manager> </beans>

any help appreciated. in advance!

the workaround found problem disabling spring security's default session fixation protection. had add together "session-management" element xml configuration first described.

<sec:http auto-config="true"> <!-- ... --> <sec:session-management session-fixation-protection="none"/> <!-- ... --> </sec:http>

in add-on this, url have provide "application url" not login url home page url, e.g. not http://myapp/login.htm http://myapp/index.htm. doing so, if user logged in or has remember-me cookie, able come in without problem , browser keeps using http protocol. if not, user redirected login page using https, , after successful login browser switches http correctly. please take account, because if write (or click) login url directly, https maintained time.

java https spring-security

Comments

Post a Comment

Popular posts from this blog

How do I check if an insert was successful with MySQLdb in Python? -

-
How do I check if an insert was successful with MySQLdb in Python? - i have code: cursor = conn.cursor() cursor.execute(("insert new_files (videos_id, filename, " "is_processing) values (%s,%s,1)"), (id, filename)) logging.warn("%d", cursor.rowcount) if (cursor.rowcount == 1): logging.info("inserted values %d, %s", id, filename) else: logging.warn("failed insert values %d, %s", id, filename) cursor.close() fun is, cursor.rowcount always one, though updated database create videos_id unique key. is, insert fails because in tests same videos_id going appear (and when check database, nil inserted). whatever reason, rowcount 1 - logging.warn have spits out rowcount of 1. so, question: can utilize rowcount work out if insert went fine? if so, (presumably) doing wrong? otherwise, how check if insert went fine? your code not commit after modifications (your modifications rolled back). should...
Read more

delphi - blogger via idHTTP : error 400 bad request -

-
delphi - blogger via idHTTP : error 400 bad request - i'm trying post blogger using idhttp component, however, i'm getting "http/1.0 400 bad request" error. procedure tform1.button1click(sender: tobject); var request,response,req : tstringlist; auth,blogid : string; begin blogid := '00000000000000000000000'; request := tstringlist.create; response := tstringlist.create; req := tstringlist.create; idhttp1.request.connection := 'keep-alive'; idhttp1.request.contenttype := 'application/x-www-form-urlencoded'; idssliohandlersocket1.ssloptions.method := sslvsslv23; request.clear(); request.values['accounttype'] := 'google'; request.values['email'] := 'xxx@gmail.com'; request.values['passwd'] := 'yyy'; request.values['service'] := 'blogger'; response.text :=idhttp1.post('https://www.google.com/accounts/clientlogin',request); auth := resp...
Read more

postgresql - ERROR: operator is not unique: unknown + unknown -

-
postgresql - ERROR: operator is not unique: unknown + unknown - i have postgis database , have compute new values rows in new column. these values should average of values of several columns. query: insert bdps (da_m) values (avg('da_1'+'da_2'+'da_3'+'da_4'+'da_5'+'da_6'+'da_7')); in query bdps database, da_m new column , da_1 da_7 existing columns have double precision type. da_m created using alter table bdps add together column da_m double precision; i next error: error: operator not unique: unknown + unknown line 2: values (avg('da_1'+'da_2'+'da_3'+'da_4'+'da_5'+'da_6'+'da_7... ^ hint: not take best candidate operator. might need add together explicit type casts. ********** error ********** error: operator not unique: unknown + unknown sql state: 42725 hint: not take best candidate operator. might need add togethe...
Read more