making login pop secure with https/ssl

[srini]

Hi,

I am looking for a way, how to make login information secure in pop up. I have set up requires-channel="https" for intercept-url pattern="/login*/**" in applicationContext-security.xml. Pop up would not come up when the parent page(ex:home page) is on http.

Any suggestions would be really appreciated.

Thanks,
Srini.

[aazzolini]

Srini,

When setting up the Spring security bit for 2.0, I toyed around with getting a secure login in a popup, and eventually decided against it, which is why you see the login in its own page on Heat Clinic now. Here are the reasons for this decision:

If you were to do this with AJAX, your browser treats this as cross domain and doesn't let you do it. You can get around it, but it's messy and definitely not recommended

You can make it work with an iFrame, but it's very hard to get login boxes that have dynamic widths and heights when trying to embed an iFrame in them.

And finally, the most compelling argument in my opinion, is even if you have it working in an iFrame or AJAX, users will have no idea that their login is secure. Because the browser is rendering an HTTP page, you will never get the trusted lock icon in the address bar. This will dissuade users from wanting to submit data to your site.

[srini]

Thanks Andre. Nice explanation. I couldn't agree more. It is more of convenience from the customer stand point where they don't have leave the page especially when they are in the middle of looking or customizing products.

I was trying to do what this post http://java.dzone.com/articles/implementing-ajax says, putting https in the login.jsp form post, but getting 'Status Code:302 Moved Temporarily' on https request POST. I was wondering, if I need to make any changes in the controller.

Thanks,
Srini.

[aazzolini]

I really don't recommend this approach, but the key is the Access-Control-Allow-Origin that you can find in that OptionsHeaderFilter class in that post.

I would seriously consider implementing something to let them log in on a standalone page and redirect them back to where they were or forcing HTTPS traffic for every page.

[srini]

Thanks again Andre. Wouldn't the page loading becomes slow if the whole website is forced to https? and also if I force the whole app to https, some of the images are not loaded. Is there a way not to make that happen?

Thanks,
Srini.

[aazzolini]

Yes, you will incur a performance penalty as well as increased bandwidth utilization for a security tradeoff.

It's up to you to decide if that's worth it for you. If you're ok with customers not seeing the secured icon in the address bar, the AJAX approach you linked is an OK solution. Just please make sure sensitive data does in fact go through HTTPS

Regarding images not rendering on HTTPS, are they living outside of the /img/ directory? We definitely allow images to be served from either protocol. As an example, https://demo.broadleafcommerce.org/heat ... ternal.png

Note line 25 in applicationContext-security.xml:

Code: Select all

<sec:http pattern="/img/**" security="none" />


If you are trying to serve a resource from outside of the directories that have already specified in the XML file, you will need to add a similar declaration.

You will need a parallel declaration in applicationContext.xml. Take a look at line 49:

Code: Select all

<mvc:resources order="-10" location="/img/" mapping="/img/**" />


[srini]

Thanks Andre for quick responses. It is just a random behavior, some images would load, some not. If I refresh the page, all the images would load.

Another issue I am running into with login pop is, if I set up required-channel as http for /login, pop up would not come on secured pages like checkout and if set up as https, it would not come on unsecured(http) pages. Any thoughts on how I can get the pop on both?

What would be the recommended approach on hosting css/static images/js etc? In web server or in app server along with app itself or CDN (like amazon cloud front). For product images, I am thinking of using CDN for faster response. But with that approach, I imagine, product images would load before css background images.

Thanks,
Srini.

[aazzolini]

If it's random behavior, that's hard for me to debug. Use Chrome or Firefox network inspectors and see if you get any valuable information.

Securing the login popup with HTTP is exactly what I meant you should not do. You absolutely want to force required-channel to "https" for the login page and modify the controllers (or add a filter) to set the Access-Control-Allow-Origin like the article you linked shows. You REALLY don't want to allow HTTP logins, especially on an ecommerce site.

Hosting images on a CDN is definitely recommended. You can use Apache HTTPD to rewrite paths or make use of custom processors (or the UrlRewriteProcessor we've provided) to rewrite images. Note that our processor obviously won't affect css or js files.

[srini]

Thanks a lot Andre for all the support. I don't have words to express my gratitude.

regards,
Srini.

[srini]

Hi Andre,

I think, I have found the problem with random behavior of images not being displayed. It is jsessionid attached to each image causing issue. I did like below in .htaccess to remove it.

RewriteRule ^/(images/.+);jsessionid=\w+$ /$1

I guess, I did not catch the phrase 'UrlRewriteProcessor we've provided'. Did you mean cms url? or is this some other?

Thanks,
Srini.