You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Tim Coy <ti...@timco.net.au> on 2005/10/04 23:48:24 UTC
How to ensure SSL transactions
Hi All
I have a shopping site which I have built using Struts 1.1 and Tomcat 5.5
(if that matters).
If the user tries to checkout with a purchase, with out a valid session they
are forwarded to the "Sign On" page. For security, once the user "signs on"
they are transferred to the SSL version of the site.
I have done this by having the <forward> redirect to an absolute path with
the url containing the https request header. Ie
<forward name="success" redirect="true"
path="https://DOMAIN-NAME/shop/index.shtml"/>
Maybe this is the wrong thing to do?
It is however possible for the user to leave the SSL version of the site and
then proceed with their purchase without forcing the user back to SSL.
My question is
What is the best way to ensure that once a user has signed on that all
transactions are via the SSL?
--
Tim Coy
Timco Electronics Pty Ltd
tim@timco.net.au
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to ensure SSL transactions
Posted by Max Cooper <ma...@maxcooper.com>.
Jeff,
It is common to have SSL between the browser and apache (httpd), and no
SSL between apache (httpd) and Tomcat. So you don't need to install a
cert on your tomcat.
Depending on how you are proxying requests from your httpd server to
tomcat (or if you also have load balancers and other components in
front), you can have trouble with redirects. For instance, if the world
knows your app as http://www.company.com/ and your app redirects the
user to https://tomcatserver.dmz.company.com/, you have some issues to
resolve. These issues are generally resolvable -- just be on the lookout
for bad redirects.
-Max
On Wed, 2005-10-05 at 07:24 -0700, Jeff Thorne wrote:
> I had a follow up question to the thread on SSL transactions. Does the SSL cert absolutely need to be installed in the servlet container? My ISP is telling me they will only install certs within the apache web server and not Resin/Tomcat. Is there away to proxy SSL requests between apache web server and my struts app?
>
> Thanks for the help,
> Jeff
>
>
> Tim Coy <ti...@timco.net.au> wrote:
> Ahh, I see
> So what I think you are saying is that I should force the Credit Card
> transaction form to https even if it is submitted from a http page.
> That makes sense.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to ensure SSL transactions
Posted by Jeff Thorne <je...@yahoo.com>.
I had a follow up question to the thread on SSL transactions. Does the SSL cert absolutely need to be installed in the servlet container? My ISP is telling me they will only install certs within the apache web server and not Resin/Tomcat. Is there away to proxy SSL requests between apache web server and my struts app?
Thanks for the help,
Jeff
Tim Coy <ti...@timco.net.au> wrote:
Ahh, I see
So what I think you are saying is that I should force the Credit Card
transaction form to https even if it is submitted from a http page.
That makes sense.
--
Tim Coy
Timco Electronics Pty Ltd
tim@timco.net.au
> The ideal mode of operation for SSLEXT is that the user does not get
> flopped, but rather gets linked or form-submitted to the correct scheme
> (http/https) in the first place.
>
> For instance, if you use the SSLEXT link tag, the current page was
> accessed via HTTP, and the link is to a page that should be secure, the
> SSLEXT link tag will render an absolute URL starting with https://. No
> flop (via redirect) is required. The SSLEXT form tag works similarly.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to ensure SSL transactions
Posted by Tim Coy <ti...@timco.net.au>.
Ahh, I see
So what I think you are saying is that I should force the Credit Card
transaction form to https even if it is submitted from a http page.
That makes sense.
--
Tim Coy
Timco Electronics Pty Ltd
tim@timco.net.au
> The ideal mode of operation for SSLEXT is that the user does not get
> flopped, but rather gets linked or form-submitted to the correct scheme
> (http/https) in the first place.
>
> For instance, if you use the SSLEXT link tag, the current page was
> accessed via HTTP, and the link is to a page that should be secure, the
> SSLEXT link tag will render an absolute URL starting with https://. No
> flop (via redirect) is required. The SSLEXT form tag works similarly.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to ensure SSL transactions
Posted by Max Cooper <ma...@maxcooper.com>.
On Tue, 2005-10-04 at 18:14 -0400, Dave Newton wrote:
> Tim Coy wrote:
>
> >Point taken and I hadn't considered that.
> >Most users tend to only login once they intend to make a purchase. Then all
> >transactions are via SSL Including browsing for more items to purchase.
> >
> I haven't found that to be the case; I nearly always see just the
> "important data" forms being protected via SSL, which is what I would
> expect.
>
> In any case, sslext lets you set a "secure" property for each action; if
> the user arrives at that page w/ a non-matching method (http/https)
> it'll flop you into the right one.
The ideal mode of operation for SSLEXT is that the user does not get
flopped, but rather gets linked or form-submitted to the correct scheme
(http/https) in the first place.
For instance, if you use the SSLEXT link tag, the current page was
accessed via HTTP, and the link is to a page that should be secure, the
SSLEXT link tag will render an absolute URL starting with https://. No
flop (via redirect) is required. The SSLEXT form tag works similarly.
Flopping can be bad in certain cases:
1. private data sent over HTTP
2. flie uploads fail on flops, IIRC
If you do decide to rely on flopping (so you don't have to use the
SSLEXT taglib), be sure to make any page that calls a page that you want
to be secure as secure. For example:
(example with both /showLogin.do and /doLogin.do marked secure)
HTTP GET /showLogin.do
(FLOP! redirect)
HTTPS GET /showLogin.do
HTTPS POST /doLogin.do
is much better than:
(example with only /doLogin.do marked secure)
HTTP GET /showLogin.do
HTTP POST /doLogin.do
(FLOP! redirect, note that all redirects are GETs)
HTTPS GET /doLogin.do?username=bob&password=everyoneknowsmypassword
(I think SSLEXT might store the POSTed params in the session to avoid
putting them in the redirect URL, but I can't remember.)
-Max
>
> Dave
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to ensure SSL transactions
Posted by Tim Coy <ti...@timco.net.au>.
The idea of "flopping" sounds good to me :-)
Thanks for the tips
--
Tim Coy
Timco Electronics Pty Ltd
tim@timco.net.au
> I haven't found that to be the case; I nearly always see just the
> "important data" forms being protected via SSL, which is what I would
> expect.
>
> In any case, sslext lets you set a "secure" property for each action; if
> the user arrives at that page w/ a non-matching method (http/https)
> it'll flop you into the right one.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to ensure SSL transactions
Posted by Dave Newton <ne...@pingsite.com>.
Tim Coy wrote:
>Point taken and I hadn't considered that.
>Most users tend to only login once they intend to make a purchase. Then all
>transactions are via SSL Including browsing for more items to purchase.
>
I haven't found that to be the case; I nearly always see just the
"important data" forms being protected via SSL, which is what I would
expect.
In any case, sslext lets you set a "secure" property for each action; if
the user arrives at that page w/ a non-matching method (http/https)
it'll flop you into the right one.
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: action class that responds to javascript request from another domain
Posted by Michael Jouravlev <jm...@gmail.com>.
http://struts.apache.org/api/org/apache/struts/action/Action.html#execute(org.apache.struts.action.ActionMapping,%20org.apache.struts.action.ActionForm,%20javax.servlet.http.HttpServletRequest,%20javax.servlet.http.HttpServletResponse)
Basically, take HttpResponse from execute() arguments, write to it,
and return null from execute().
Michael.
On 10/4/05, Jeff Thorne <je...@yahoo.com> wrote:
>
> I am trying to allow users of my site to incorporate some of my sites content in their blog. I am letting them paste the following code in their site:
>
>
>
> <script type="text/javascript" src="http://mysite.com/blog/mypostings.jsp?id=23330"> </script>
>
>
>
> I need my action class to send the following back to the javascript request.
>
>
>
>
>
> document.write('<div id="posts"><ul><li><a href="http://mysite.com/service.jsp?post=21377" target="_blank">Post Title</a></li></ul></div>');
>
>
>
> How can I set up an action class to do this. can this be done with an action forward?
>
>
>
> Thanks for the help,
>
> Jeff
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
action class that responds to javascript request from another domain
Posted by Jeff Thorne <je...@yahoo.com>.
I am trying to allow users of my site to incorporate some of my sites content in their blog. I am letting them paste the following code in their site:
<script type="text/javascript" src="http://mysite.com/blog/mypostings.jsp?id=23330"> </script>
I need my action class to send the following back to the javascript request.
document.write('<div id="posts"><ul><li><a href="http://mysite.com/service.jsp?post=21377" target="_blank">Post Title</a></li></ul></div>');
How can I set up an action class to do this. can this be done with an action forward?
Thanks for the help,
Jeff
Re: How to ensure SSL transactions
Posted by Tim Coy <ti...@timco.net.au>.
Point taken and I hadn't considered that.
Most users tend to only login once they intend to make a purchase. Then all
transactions are via SSL Including browsing for more items to purchase. Once
there session expires forward the browser back to the non SSL pages.
This does not however preclude the user from directly entering the SSL pages
without a valid session, which is also something I would like to fix.
I will have a look at sslext and thanks for the tip.
--
Tim Coy
Timco Electronics Pty Ltd
tim@timco.net.au
> sslext: http://sslext.sourceforge.net/ is one way.
>
> I assume you only want to put CC/login stuff under SSL (otherwise it's
> unnecessary server drag).
>
> Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to ensure SSL transactions
Posted by Dave Newton <ne...@pingsite.com>.
Tim Coy wrote:
>My question is
>What is the best way to ensure that once a user has signed on that all
>transactions are via the SSL?
>
>
sslext: http://sslext.sourceforge.net/ is one way.
I assume you only want to put CC/login stuff under SSL (otherwise it's
unnecessary server drag).
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org