1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 11:39 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Securing selective portions of a web application

         

jnsunkersett

10:13 am on Mar 11, 2011 (gmt 0)

10+ Year Member



Hi,

I am a j2ee developer and have developed a j2ee application, deployed on jboss and fronted it with a Apache 2.2 server (using mod_jk)

So all requests on Apache, are served by jboss running on port 8080.

For security, I generated a SSL certificate and applied it to Apache, using mod_ssl.

But this has rendered my complete application secure and accesible only by https.

But I wish my java application, to be presented similar to http:// makemytrip.com [makemytrip.com ]
Which allows users to search flights and and add them to a shopping cart. All of this over http.
Only when the user, does a checkout, he/ she is served content over https, but there is no change to the url seen in the browser, except for http becoming https.

I feel such a behaviour is managed by the web server (and not the java application server), using some thing like url rewriting or similar, so this post.

Any help will be greatly appreciated.

thanks
Jeevan

jdMorgan

9:41 pm on Mar 17, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Set up two virtual servers, one for HTTPS and one for HTTP. Redirect HTTP requests for secure *pages* to HTTPS. Redirect HTTPS requests for non-secure *pages* to HTTP. Do not redirect any requests for objects (such as images, JavaScripts, or CSS files) that are shared between SSL and non-SSL pages. Refer to these shared objects using only page- or server-relative URL-paths, so that the client will 'copy' the protocol of the currently-viewed page when requesting the shared object(s).

Also be careful to force canonicalization of the SSL hostname within your application; Do not allow/support requests for both example.com and any subdomain of example.com (such as the www subdomain). Alternatively, you will have to require the purchase and use of 'wild-card' SSL certs. Be aware that SSL is invoked *before* any redirects can take place. So once a request for a non-canonical hostname to a host with a non-wild-card cert is invoked, it *cannot* be corrected by redirection; the result will always be a security warning. :(

Jim

jnsunkersett

5:47 pm on Mar 25, 2011 (gmt 0)

10+ Year Member



Jim,

Whew, that answer was very "webmaster techy"

For a start, could you direct me to the same documentation but created 'for dummies'

thank you
jeevan
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 11:39 pm May 1, 2026