To use the form login mechanism in your Web application, the client must support cookies. The client can be a browser or a standalone HTTP client. To convert your Web application, which uses the form login mechanism in conjunction with HTTPS, the transport guarantee for the form login page and the pages that require authorization must be identical. Otherwise, the client will receive multiple HTTP redirects to the same page, resulting in an error. See “Defining a security constraint from the Web Application Properties Security tab” for information about configuring transport guarantee.
Here are the steps required to enable HTTPS for the eStore application, which is a large, comprehensive sample application developed by Sun Microsystems to run on J2EE-compliant servers. eStore simulates an online pet store implemented with Java Server Pages, Java servlets, and Enterprise Java Beans. You can download eStore as part of the Sun Microsystems J2EE Blueprints.
Change the transport guarantee for the existing two security constraints from None to Confidentiality or Integrity.
Add a new security constraint. Set the transport guarantee for the new security constraint to the same value as the existing two security constraints.
Add a Web resource collection to the new security constraint. Define a Web resource, and set the URL pattern to “/login.jsp”, which is the URL of the form login page.
Refresh the eStore application. Connect to the eStore application from your browser. The form login and subsequent communication occurs using HTTPS.
