Skip to Content

Securing only the logon to the J2EE Engine

Hi,

I'd like to configure the J2EE Engine in such a way that users that only (basic) authentication is done over SSL, but after auhtentication has succeeded the applications itself should all run in http. Simular to how for instance Yahoo offers a secure login.

I understand it's no problem to configure SSL on the J2EE or to run all in SSL, but I don't know how to confure a mixed mode.

Any ideas?

Marcel

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Sep 29, 2009 at 01:42 PM

    To switch back to HTTP after login, the easiest thing I can think of, is to implement a login module which will be added to the login stack at the last place after the CreateTicketLoginModule which does nothing else than a redirect to a HTTP-target.

    Add comment
    10|10000 characters needed characters exceeded

    • >

      > Hi Tim & Julius

      >

      > for the most part they are windows based terminals, some domain memebers, some not and they are already logged in. Users can only access a few URL's and systems from there. Much like wat Julius describes. He's referring to something you're selling, can you eleborate?

      yes, but not on sdn since it is not appropriate to discuss these details on this forum.

      >

      > So far we've just noticed a major performance loss when the portal and all it's content runs in SSL. Mind you, a lot of these locations user very low bandwith connections, so it could also be lantency, but this strikes me as odd as I would expect the same drop from normal HTTP. We are looking into solutions such as AccAD but I thought that just encrypting the logon process would be a nice and simple solution. We might do this anyway, but with third party software and passing authentication through.

      >

      > Cheers

      > Marcel

  • Sep 24, 2009 at 04:53 PM

    What's the rationale behind that inquiry?

    Wouldn't it be worth to ensure that the (access-controlled) business data is also protected (by encrypted data transmission)?

    Once the https connection is established, the performance impact caused by the encryption (with symmetric key) is not so dramatic - the most "costly" part is the SSL handshake (creation of the symmetric key, validation of the SSL server's certificate, optionally: also validating the SSL client's certificate). So it's not really worth to switch-back to http, afterwards.

    Regards, Wolfgang

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member M. Rabe

      if you can tell me wether it's possible or not

      Perhaps if you have a (series of) webdispatcher in place to handle session ID's on both ports, or redirect with the session ID in the header to http, then you can do it.

      But why? Do you want an intermediary (which is not trusted or trustable) to change something? I think it will become a bottle-neck as well.

      I'll tell you the case behind it.

      If it is performance, then Wolfgang has already addressed this in the "handshake" comment above.

      I think if you do not accept that the use-case of this is not a principally secure design for the client, and present your use-case to show that there is one (a business case)... then you will not attract a usefull answer for that use-case.

      My 2 cents,

      Julius

      PS: Perhaps you have noticed logon problems to SDN recently? And constantly being logged off? Same thing... Some one activated http redirects and the caches told them to &%£?"-off... 😉

  • avatar image
    Former Member
    Sep 24, 2009 at 10:12 AM

    Hi Marcel,

    there is no configuration setting like "enable HTTPS only for logon".

    There might be a way if you want to write some custom code. I already implemented a scenario where all anonymous content was http and login and everything after login is https. Therefore you'd have to change the action which is called on login. You can achieve this by modifying the com.sap.portal.runtime.logon.par File. Also you have to modify the logout, to switch back to http after logout.

    Switching back to http after successfull login is probably tricky. I think you would have to do some unsupported stuff, like modifying the portal launcher, what I cannot recommend 😊

    Hope that helps you!

    Martin

    Add comment
    10|10000 characters needed characters exceeded