Hi all,

I've read some of hte posts here regarding SSL and LifeRay. I have Apache set up with Tomcat 5.5 with LifeRay. I did get the SSL working with a self signed certificate. One thing I noticed is that it now always go to HTTPS, I guess this is normal? I know there is complexity with sessions and SSL, but I was hoping that I could set it up such that at least it was HTTP until someone logged in. I can't really use virtual hosts to set that b/c there are shared areas where both authenticated and unauthenticated users use.

So one of my questions - is it possible to set it up such that only the actual login is HTTPS and rest of site is HTTP? Basically, so only the password is encrypted. I've seen other sites do this where only the login is SSL and the rest of the site is HTTP. Yahoo Mail is one example. Amazon is another example where the login is SSL (and the ordering pages) but rest of site is HTTP.

So, I was just going to have the whole site be SSL, but the only issue with that is I have some Google Maps on pages, which is imported HTTP. So in Internet Explorer, everytime a page with Google Maps is rendered, the browser throws a security warning saying non-HTTPS content is attempted to be loaded on a secure page. Very annoying!

ANy advice? Google only offers HTTPS for their maps with premier accounts and not sure what they charge for that. Has anyone else run into this? This is a pretty big headache, I dont' want that warning brought up each time a page is loaded, so I have only two options - don't use Google Maps or don't use SSL. I could get away w/ no SSL for now, but at some point I'll need to incorporate.

Thanks!

Hi Rice,

Liferay portal supports both HTTP and HTTPS.

You may simply set both HTTP and HTTPS on your Liferay portal. Enjoy!

From Liferay portal either HTTP or HTTPS, you can call other systems via HTTP like Google map directly. There should not be an issue.

By the way, your server should install SSL - otherwise it would show that untrusted issue.

Hope that it helps,

Thanks

Jonas Yuan

-----------------
The Author of Liferay Books:
Liferay Portal 5.2 Systems Development
Liferay Portal Enterprise Intranets

Hi Jonas,

Thanks for your reply. I did implement HTTPS successfully. One issue I'm having is that if you just go to my domain (w/ no absolute path specified), it always defaults to HTTPS. For instance, if I type http://www.mydomain.com, it'll forward to https://www.mydomain.com/web/guest page. If I type in the full path, ie http://www.mydomain.com/web/guest it'll stay w/ HTTP. I suspect though that this is more of an issue w/ the VirtualHost setup in Apache and I'm not too concerned with that.

I guess the problem specificially w/ Google Maps is not that it won't work, its that Internet Explorer will give that warning about loading unsecured content over a secured connection, which is quite annoying. I know this isn't necessarily a LifeRay issue, its IE being "careful."

One way I thought of "fixing" this issue is to only have the login page w/ HTTPS and the rest of the site navigated with HTTP. Are there issues with doing that? I've read some postings about how its a bit painful w/ sessions and such. I've tried to do that but get problesm logging in. There are settings I configured in portal-ext.properties file, and unless I specify that the site protocol be HTTPS, I can't login. If I could login, this would actually be the behavior I want - the site is navigated w/ HTTP, when you log in, its HTTPS, then you are back to HTTP. BUt when I do that, even though the log in succeeds, the site seems to lose the session and acts like I didn't log in (after redirection from a successful login).

Does that make sense? Basically, I would like my site to use HTTPS only for login, then HTTP the rest of the time, even after a user has logged in.

Thanks!

PS:

Here are the settings I'm talking about in portal-ext.properties:



If I leave out the web.server.* properties (and only have the company.security.auth.requires.https=true) line, the site will be served up with HTTP until user goes to login... Then its HTTPS. After login, the user is redirected to a page w/ HTTP, which is what I'd like to have happen, BUT the user isn't logged in. When I add the web.server.* properties, it all works properly, except now the whole site is always HTTPS. Just wondering if its possible to have it such that only login is HTTPS, and rest of the site is HTTP. Or better yet, even just specify certain pages/urls as HTTPS. For instance, if you were running an eCommerce site, you wouldn't necessarily want the whole site HTTPS, perhaps just the purchasing piece of it.

Just an update.

Okay, so I set my portal-ext.properties file to the following:



So, doing this will default to HTTP except for login, which will be HTTPS. As I stated before, when I login, it redirects to the main page but then seems to lose the session and it acts like I haven't logged in yet. BUT, on the login portlet, if I select "Remember Me" it actually does work! If I login and hve the "Remember Me" checkbox checked, it'll login, then redirect me to main page w/ HTTP, AND it does have me logged in. So it works IF the user selects "Remember Me" - anyone know why this would be? Is this a bug? I would expect that "Remember Me" wouldn't have an impact on this.

Anyway, foudn that odd. Wasn't expecting that to work.

THanks!

Hi Rice Owl,

just wondering, the configuration you are propossing did it work with the requirement you had?
I have similar requirement where users access public pages with http, and private pages with https.


Any one, can point me to the correct documentation for the requirement that mentioned by Rice?

Thanks
Mitesh

Hi,

my configuration is one Cluster Glassfish, the certificate is alright, but when i add these variables in the portal-ext.properties

company.security.auth.requires.https=true
session.enable.phishing.protection=false
web.server.http.port=80
web.server.https.port=443
web.server.host=www.contraloriagen.gov.co
web.server.protocol=http

The Url gets some parameters and is not redirected to index page

Tell what i can to make

Is urgent.

thanks