Securing data in transit: HTTPS to the rescue

When you tell a J2EE Container that you want to implement data confidentiality and/or integrity, the J2EE spec guarantees that the data to be transmitted will travel over a “protected transport layer connection”. In other words, Containers are not required to use any specific protocol to handle secure transmissions, but in practice they nearly all use HTTPS over SSL.

HTTP request—not secured

image with no caption

The Bad Eavesdropper gets a copy of the HTTP request that contains the client’s credit card info. The data isn’t protected, so it comes over in the body of the POST in a nice readable form. The Eavesdropper is happy.

A secured HTTPS over SSL request

image with no caption

The Bad Eavesdropper gets a copy of the HTTP request that contains the client’s credit card info.

But because it was sent with extra-strength HTTPS over SSL, he CANNOT read the information !!

image with no caption

Get Head First Servlets and JSP, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.