3

On most pages, I have a log-in panel which is contained in a small div at the top of the page. Earlier, when I didn't use JSF, I set the log-in form's attribute action to https://.... to submit the username and password securely.

At the moment, when I use the tag <h:form>, the form is always submitted to the page that the user opened (e.g. if the log-in panel is on index.xhtml page, the form's action will also be index.xhtml). Are there any ways that I can change where the form is submitted to? I tried setting the attribute action of a commandButton inside that form to LoginStatus but the form is still submitted to index.xhtml.

I'd be very grateful if someone could show me how I can achieve the secure log-in using JSF 2.0.

Mr.J4mes
  • 9,168
  • 9
  • 48
  • 90
  • Did you have a look at [this](http://stackoverflow.com/questions/3356736/should-a-web-page-with-a-login-form-be-secured)? – home Nov 29 '11 at 11:48
  • @home: that's exactly what I want to do: serve the form unsecurely but submit it securely. I managed to do it in plain JSP but I am not sure how to do it with JSF since I cannot change the form's action attribute. – Mr.J4mes Nov 29 '11 at 12:00
  • Just wanted to make sure you're aware of the fact that just **showing** your login panel on unsecured pages introduces a certain security risk. do not know a solution for this. IMHO the best solution is to either have HTTPS or not - no mixed mode solutions! – home Nov 29 '11 at 12:29

3 Answers3

1

As well as what I understand from what you are trying to do I would suggest you to override the default form components renderer and add the https behaviour to the component. It should probably work :)

Murat Can ALPAY
  • 520
  • 2
  • 17
  • 1
    by the way it seems, posting a form via 'https' from a 'http' page still would be open to security attacks: http://stackoverflow.com/questions/4309199/must-logins-be-a-https-page – Murat Can ALPAY Nov 29 '11 at 14:33
0

You can tighten the security by following

  • Configure SSL in your web app server for specified secured pages (login, banking etc..)
  • Use Spring Security
jmj
  • 237,923
  • 42
  • 401
  • 438
  • I tried to set u Security Constraints that force SSL connections on the Login.xhtml page. However, the problem is that Login.xhtml is just a small part which is included in many pages. Many of these pages do not require SSL connections but I still need to display a log-in panel on them. I need a way to make the form's submission secure. – Mr.J4mes Nov 29 '11 at 11:57
  • So you can make that page secured and include it in all the pages where needed – jmj Nov 29 '11 at 12:00
  • hmmmm I'm not sure if it works. If I type Login.xhtml directly on the browser address bar, I will be brought to a warning page saying that my self-signed certificate is not secure. However, when I include Login.xhtml in index.xhtml, I see no such thing. – Mr.J4mes Nov 29 '11 at 12:51
  • 1
    I think "include" here is meant to be something like iframes not a JSP include/JSF fragment – RokL Nov 29 '11 at 14:17
0

one way is to use java script to retrieve the form data and send the request to secure URL, you can use some common JS library to send the request, like JQuery.

Ali
  • 13
  • 1
  • 3
  • This may not work because the original pages are unsecure HTTP page. The script on those pages cannot send request to a secure page. – Mr.J4mes Nov 29 '11 at 13:02
  • i have seen some jquery implementations using jQuery.ajax calls, which do send AJAX requests from http pages to https Links. – Ali Nov 29 '11 at 13:10
  • 1
    check out this [question](http://stackoverflow.com/questions/1012777/https-request-via-ajax-from-http-page). It cannot be done. – Mr.J4mes Nov 29 '11 at 13:15