Skip to main content

Auto SSL Switch Over Issue

To protect a web resource typically we add a security constraint CONFIDENTIAL in the web.xml in the case of Java Technology. That means that this resource is protected and can only be accessed via HTTPS. How this works is this way. Browser sends the request to the resource . Container intercepts and sends a redirect url which is the https URL. Browser again sends the request via HTTPS. The advantage is this mechanism will do automatic switch over of protocols. Hence by simply changing the configuration we can make which part is http and which should be https.
But the issue is when the application is accessed via a reverse proxy. In this scenario the automatic protocol switch over will contain the IP or domain name of the internal server and not of the proxy. Hence we may have to do the http to https switch over using java script from the browser. So this defeats the whole purpose of CONFIDENTIAL element. I haven't seen any where in the web.xml spec an element to specify the address or domain of the front end host . In this case reverse proxy. I think this is a serious limitation. In my view this element should be added to the JSP / Servlet spec and the web.xml should be updated.

Comments

Post a Comment

Popular posts from this blog

Using Database login Module in JBoss

This post is a detailed description on how to use the database login module in JBoss with a J2EE Application. Scenario There is a EJB and we want to restrict the access to this ejb's method to an authenticated user having a particular role. The EJB is accessed from a standalone Java Client using Remote Lookup. Implementation The EJB is HelloSSB and the roles allowed are admin and user. First step is to write the EJB The source code is given below. This is a stateless session bean. package com.prem.ejb; import javax.annotation.PreDestroy; import javax.annotation.Resource; import javax.annotation.security.RolesAllowed; import javax.ejb.SessionContext; import javax.ejb.Stateless; import javax.persistence.EntityManager; import javax.persistence.PersistenceContext; import org.jboss.annotation.security.SecurityDomain; @Stateless @SecurityDomain ("helloworld") public class HelloSSB implements HellioIntf{ @PersistenceContext(unitName = "EntApp") EntityManager em; @Reso...
26 comments
Read more

Design Patterns

A note on Design patterns Many times we can see ourselves looking for design patterns to fit the design of a requirement. Of course if the requirement is simple enough to apply any existing design pattern we should do so. This will save us valuable time. In my opinion it is better not to worry about which pattern to apply.But concentrate on the three basic Object oriented principles. 1) Encapsulate what varies 2) Prefer composition over inheritance 3) Program to an interface not to an implementation. If we approach the design with these principles in mind , we don't have to search for patterns. Pattern will emerge itself. Once we apply these principles, we can definitely look whether any of the existing patterns can solve the issue better than the way we thought of. This way our thinking process will improve tremendously and at times we may end up creating a solution which may be better than any available design patterns.
1 comment
Read more

Load Balancing

Why do you need to load balance ? Here i will put forward the various options available for web load balancing. Before we go into that , let us first examine why do we need load balancing after all.Consider you develop a website and is available to the public.If the application is served from a single webserver then there is a high chance that the machine will be overwhelmed if the usage of the application increases. This may result in users experiancing unusually high response times or in worse case the machine can come to a halt.So you need some mechanism to distribute the load across different machines,without the client having to swich address. There are many widely used approaches. The most common ones are DNS based load balancing Software load balancing Hardware load balancing DNS based Load Balancing Here the DNS server is configured in such a way that it returns different IP addresses for various requests to the DNS server for a particular domain name. The DNS server may contai...
Post a Comment
Read more