1

I have a webstore written in pure JSP and JavaBeans which is deployed and working fine on Tomcat. Tomcat has been configured with SSL successfully. It only has five pages:

  • Home page (non-secure page) - Displays home page
  • Product page (non-secure page) - Display a single product all the time
  • Cart page (non-secure page) - Displays the cart page after adding a product
  • Checkout page (secure page) - A single checkout page that contains all the information such as customer address, payment method, shipping method etc
  • Receipt page (secure page) - Generates an Order # and displays order total.

Whenever I navigate from Cart page to Checkout page the browser automatically switches the protocol from http -> https and port from 8080 -> 8443 which is as expected. However, the problem is that it just does not switch it back from https -> http and 8443 -> 8080 whenever the user navigates from Checkout page to Home/Product page. The Home/Product and Cart page url's all get converted into secure pages which is not something I want.

web.xml

<!-- Security for Checkout module -->
<security-constraint>
    <web-resource-collection>
        <web-resource-name>mycheckout</web-resource-name>
        <url-pattern>/jsp/checkout/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Folder Structure:

jsp/
    home.jsp
    product.jsp 
    cart.jsp
    checkout/
        checkout.jsp
        receipt.jsp
Nital
  • 5,784
  • 26
  • 103
  • 195
  • Were you able to resolve this? – Perdomoff Jan 14 '16 at 21:09
  • You're not asking for this, thus I only add it as comment: I'd not worry about this. If you set up https anyway, don't bother about going back. Mixed-mode typically causes more problems than it solves: You'll probably be leaking session cookies in http that can be used with the https pages. If not now, then with the next iteration of your app. Save yourself the hassle and just go https all the way. You'll have less work this way, it's already set up. And some more CPU cycles are cheaper than your working time, or than loosing reputation due to such a problem – Olaf Kock Jan 15 '16 at 10:47
  • @Olaf - Interesting solution, but just wondering wouldn't site be slower than usual with https? – Nital Jan 17 '16 at 06:04
  • You'll have to measure for the performance impact. But keep in mind: what good is a few milliseconds when your data gets lost through a leaking session. Look up Firesheep to see how easy it is to catch cookies e.g. at Starbucks – Olaf Kock Jan 17 '16 at 09:30

1 Answers1

2

You can build the URL before redirecting:

 if(request.getScheme().equals("https"){
 String redirect = "http://"+ request.getServerName()+":"+ getServletContext().getInitParameter("http_port")+"/"+request.getContextPath()+"/myurl";
response.sendRedirect(redirect);
}

Edit:

A client-side redirect is more versatile insofar as it can send you to a completely different server, or change the protocol (e.g. from HTTP to HTTPS), or both. And the browser is aware of the new URL. But it takes an extra back-and-forth between server and client. See last answer here: requestDispatcher Interface Vs sendRedirect

Community
  • 1
  • 1
Perdomoff
  • 938
  • 2
  • 7
  • 26