java - How to implement a HTTPS login page in a web application?

Question

I want to create a secure login/logout mechanism. I started reading the following articles to get an idea of things to take into account:

• Solving the Logout Problem Properly and Elegantly
• Revisiting the logout problem

These articles make some good points, but I was thinking in using HTTPS in a similar way as the Yahoo mail login page. You know... you type http://mail.yahoo.com and you are redirected to a HTTPS page like **https://**login.yahoo.com/config/login where you insert your username and password and after your credentials are verified you are redirected back to a HTTP page with a generated session_id cookie and all communications from there on are on HTTP using the cookie.

What do I need to implement this behavior?

I want to do this for two Java web apps (one with Spring framework and one with Struts 1) but don’t know exactly how to integrate that HTTPS part into the application (I have never worked with HTTPS before).

Answer 1

First of all you need to enable SSL for your server. For Tomcat you need to generate an openSSL keystore and add the following connector to server.xml:

<Connector port="8443" scheme="https" secure="true" SSLEnabled="true"
   keystoreFile="mykeystore" sslProtocol="TLS"
   keystorePass="keystore password" />

To integrate SSL into your application I recommend Spring Security. It offers exactly what you want (login over HTTPS, then redirected to HTTP). All you have to do to implement it, is to set forceHTTPS to true:

<bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
  <property name="loginFormUrl" value="/pages/login.jsp" />
  <property name="forceHttps" value="true"/>
</bean>

Of course Spring and Spring security do have a rather steep learning curve, but it is totally worth it. Do it once and then you can apply it to new apps in less than an hour. You can use Spring Security in both the Spring and Struts application.

Spring security used to be Acegi security. This is an article that will get you started.