[opencms-dev] Secure site (or parts of it)

Tue Jul 16 17:01:41 CEST 2013

I am trying to secure parts of site (so a user can log in securely and then
later see certain restricted information based on the credentials).

Ideally only login page needs to be "forced" to https, the rest of the site
should work with plain http. Since the JSESSIONID is not shared between
http and https once the user is logged in he should navigate all of the
site via https.

Setup is that Apache handles SSL, and communicates with Tomcat through
mod_ajp. OpenCms 8.5.0

This seems to be the recommended setting in opencms-system.xml:

(1)
<site server="http://something.com" uri="/sites/default/" >
  <secure server="https://something.com" exclusive="true" error="false" />
</site>

There is a folder inside /sites/default/ which have the "secure" attribute
set to true in the VFS, inside which there is a login page.

This kind of works - browser is forced to https version when hitting a page
inside that folder, but links on the page that points to pages outside of
the secure folder are all unsecure. Hence once the user clicks away from
the login page he appears as being logged out as the secured JSESSIONID is
gone once on a http page  (and that is a good thing).

If the user enters https manually in the browser address field then he
again gets the JSESSIONID and appears logged in,

So what I would like to happen is that once a user accesses via the https
scheme, URLs should all remain https. It does not seem that this is
possible (at least I haven't found a setting doing that). Setting
exclusive=false above is not an option since on the login-page https must
be enforced.

(2)
<site server="https://something.com" uri="/sites/default/" />

does allow one to do either secure og unsecure browsing, but then there is
no enforcing for the login page (actually it throws an exception because
the secure-tag is not defined while the attribute states secure is true).

The option then is to go secure for the entire site (which would be ok).
The quick solution would be to set the secure attribute on the
/site/default/ folder, but - given (1) configuration example with the
secure-tag defined - it states " There is no secure server configured for
the current site." - seems a bit odd though stricly speaking the
Site-selector is "/" in order to actually set the attribute on
/sites/default/.

So there is the option of setting secure on all content (files and foldes)
in the /sites/default/ folder.

If it is all https all the time then I guess I can get the same effect by
using (2) configuration and then have Apache force any non-https to https.

Have I overlooked any options?

/Claus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20130716/35f3f22e/attachment.htm>