Login/Register
Is it possible to use HTTPS only for login in Spring security?
Asked Answered
springauthenticationhttpsspring-security
B

2

3

My requirement is to secure only the login page to protect user credentials. After successful login, the user can access to the restricted pages but in http mode. It is a requirement because of SSL overload. Users need to access to protected pages which contains a lot of data.

I would like to know whether it is possible to do although it isn't as secure as maintain https context.

This is my config:

<security:http auto-config="true">
    <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
    <security:intercept-url pattern="/welcome*" access="ROLE_USER, ROLE_ADMIN" />
    <security:form-login login-page="/login" authentication-failure-handler-ref="customAuthenticationFailureHandler" default-target-url="/welcome" />  
    <security:access-denied-handler ref="openIdAuthFailureHandler"/>
</security:http>

If I try to set /login as https, everything is in https mode. How can I manage to do that?

Edit:

As s.kwiotek suggested I added requires-channel="http" to the other url patterns:

<security:http auto-config="true">
    <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
    <security:intercept-url pattern="/welcome*" access="ROLE_USER, ROLE_ADMIN" requires-channel="http"/>
    <security:intercept-url pattern="/user/*" access="ROLE_USER, ROLE_ADMIN" requires-channel="http" />
    <security:intercept-url pattern="/rest/*" access="ROLE_USER, ROLE_ADMIN" requires-channel="http" />
    <security:intercept-url pattern="/admin/*" access="ROLE_ADMIN" requires-channel="http" />
    <security:session-management session-fixation-protection="none"/>
    <security:port-mappings>
        <security:port-mapping http="8080" https="8443"/>       
    </security:port-mappings>
    <security:form-login login-page="/login" authentication-failure-handler-ref="customAuthenticationFailureHandler" always-use-default-target="true" default-target-url="/user/home" />  
    <security:logout logout-success-url="/" />
    <security:access-denied-handler ref="openIdAuthFailureHandler"/>
</security:http>

I added the session-fixation-protection="none" because If I only include requires-channel="http" it doesn't go further from the login. I try to log in but I come back to the login.

If I add the session-fixation-protection it goes to the user's home but at the second login attempt. When you access to /myapp/login two jsessionid are created:

JSESSIONID=5B37413F33DF0AA45F31D711754C3704; path=/myapp; domain=localhost
JSESSIONID=658F9F8669AF6B296A77D448C1A64B71; path=/myapp/; domain=localhost; HttpOnly

Then I try to log in and I come back to the log in but the url is different:

https://myapp/login;jsessionid=C1EC352C42D6AC379DB1B65A9295E8A1

When the jsessionid is in the URL, I try to log in and I'm successfully redirected to the users'home (/user/home). If I remove the session-fixation-protection, the jessesionid is in the URL but I'm not successfully redirected to the user's home.

I don't know who creates the two first jsessionid and how to explain this behaviour. The only thing I want to do is to secure the login by ssl and then access by http.

Binder answered 5/2, 2015 at 10:33 Comment(0)
N
1

(This should have been a comment. But my account is limited in reputation.)

You may want to reconsider allowing access to the restricted pages in http mode.

According to http://www.troyhunt.com/2011/11/owasp-top-10-for-net-developers-part-9.html,

Many people think of TLS as purely a means of encrypting sensitive user data in transit. For example, you’ll often see login forms posting credentials over HTTPS then sending the authenticated user back to HTTP for the remainder of their session. The thinking is that once the password has been successfully protected, TLS no longer has a role to play. The example above shows that entire authenticated sessions need to be protected, not just the credentials in transit. This is a lesson taught by Firesheep last year and is arguably the catalyst for Facebook implementing the option of using TLS across authenticated sessions.

Nervous answered 27/1, 2016 at 3:39 Comment(0)
P
0

Try for Example:

<security:intercept-url pattern="/**" access="ROLE_USER" requires-channel="http"/>
Pet answered 5/2, 2015 at 14:3 Comment(1)
check my edit @s.kwiotek . Thanks for the answer (I tested the same while I was waiting for an answer)Binder

© 2022 - 2024 — McMap. All rights reserved.