You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by jorisumu <jo...@terra.com.co> on 2002/03/19 16:02:13 UTC

Re: RE: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's ext. )

Indeed! ;-)
I think it would help a lot.

A workaround solution I tried before your suggestion was making the 
forwading secure (the page, the action, whatever it takes ;) ), that 
way I eliminated the pop-up. But I think was a very unwise solution, 
especially when my aim is performance, and I don't need those pages to 
be secure for now.

If the WHATEVER value helps to eliminate the pop-up I totally agree. 
Most of the users get confused and scared with this security messages, 
specially when they are people of financial market like mine.. ;-)

I have some other comments to you about the extension. Should I write 
them here, or should I write them to you directly?

Thanks!

Jorge Ivan Suarez
Factoring Market.


----- Mensaje original -----
De: "Ditlinger, Steve" <SD...@ebuilt.com>
Fecha: Lunes, Marzo 18, 2002 4:04 pm
Asunto: RE: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's 
ext. )

> Good!
> 
> I don't think there is any way of eliminating the pop-up message 
> (except by
> the browser user disabling it) since you are in fact redirecting 
> from a
> secure to a non-secure page.
> 
> We have been thinking of changing the extension so that the "secure"
> property has 3 possible values: SECURE (for https), NON-SECURE 
> (for http)
> and WHATEVER (to accept either protocol).  Using the WHATEVER 
> value would
> help cut down on those message dialogs.  Do you think this would be
> worthwhile?
> 
> Steve
> 
> -----Original Message-----
> From: jorisumu [mailto:jorisumu@terra.com.co]
> Sent: Monday, March 18, 2002 11:57 AM
> To: Ditlinger Steve
> Subject: Re: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's
> ext.)
> 
> 
> Well it worked! :-D
> 
> After adding the redirect="true" attribute to the forward 
> definition 
> the login are not present anymore in the transmition. But I still 
> get 
> the pop-up message though. I guess I can live with this for now.
> 
> Thanks a lot!
> 
> Jorge
> 
> ----- Mensaje original -----
> De: "Ditlinger, Steve" <SD...@ebuilt.com>
> Fecha: Lunes, Marzo 18, 2002 1:18 pm
> Asunto: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's ext.)
> 
> > If you change the forward definition to this:
> > 
> > <global-forwards>.....
> > <forward name="account.fwd" path=
> > ...</global-forwards>
> > 
> > you should eliminate the presence of the logon parameters in the 
> query> string.
> > 
> > The extension we wrote redirects a page using the correct 
> protocol (if
> > necessary).  One of the consequences of a redirect is the loss 
> of 
> > postedparameters.  For this reason, in our extension, we put 
> > posted parameters
> > into the query string.  This can be annoying in many cases and 
> > just bad in
> > other cases such as for login parameters (like yours).  
> > 
> > In your case, after you have executed logonAction, you shouldn't 
> > need the
> > login parameters any more, but when you forward to the non-
> secured 
> > action,our extension will try to save them in the query string.  
> > By specifying
> > "redirect=true" in the forward, you will cause Struts to use 
> > redirect rather
> > than forward when it requests "account.do", which will clean out 
> > the logon
> > attributes before our extension ever has a chance to redirect 
> > using the
> > non-secure protocol.
> > 
> > hth,
> > Steve
> > 
> > 
> > -----Original Message-----
> > From: jorisumu [mailto:jorisumu@terra.com.co]
> > Sent: Thursday, March 14, 2002 4:49 PM
> > To: struts-user@jakarta.apache.org
> > Subject: Big Problem Dealing with SSL!! (Using S. Ditlinger's ext.)
> > 
> > 
> > Hi all!
> > 
> > I discover a few days ago the famous article at JavaWorld by 
> Steve 
> > Ditlinger (http://www.javaworld.com/javaworld/jw-02-2002/jw-0215-
> > ssl.html).
> > 
> > Then after looking at the archives of this mail-list I 
> discovered 
> > HE 
> > actually made an implementation of the ideas expressed on the 
> > article 
> > as a struts extension (http://struts.ditlinger.com).
> > 
> > Well, I'm in the middle of the development of a web-app using 
> > Struts. 
> > So I decided to try it! Thanks Steve, is really cool!!! It gave 
> me 
> > a 
> > little trouble on the beggining, but were about just config 
> > issues. (I 
> > trully encourage you to document the extension a little more ;-) ).
> > 
> > Now I have a little problem: I have this logon action defined in 
> > my 
> > struts-config.xml:
> > 
> > <action path="/logon"
> >              type="com.factoringmarket.web.LogonAction"
> >              name="logonForm"
> >              scope="request"
> >              input="/logon.jsp">
> >        <set-property property="secure" value="true"/>
> >       
> > 
> > That call it from my jsp this way:
> > 
> > <sslext:form action="/logon" focus="membername">
> > .......
> > </sslext:form>
> > 
> > My problem comes when in the LogonAction's perform() I return a 
> > forward 
> > to a non-secure page that is actually defined in the struts-
> > config.xml 
> > file as a global forward like this: 
> > <global-forwards>.....
> > <forward name="account.fwd" path=
> > ...</global-forwards>
> > 
> > Then I got the pop-up message in the browser: "You are about to 
> be 
> > redirected to a connection that is not secure. The information 
> you 
> > are 
> > sending to the current site might be retransmitted to a 
> nonsecure 
> > site. 
> > Do you wish to continue?" So I got curious and checked the 
> > transmition 
> > with a protocol analizer and I can clearly see in the 
> > transmition: "GE
> > So I'm confused... Why's happening this? what am I doing wrog? 
> How 
> > can 
> > avoid this retransmition? :-O
> > 
> > Thanks a lot guys!
> > 
> > 
> > 
> ___________________________________________________________________ 
> > Consigue tu e-mail gratuito TERRA.COM.CO
> > Haz click en http://www1.terra.com.co/correo
> > 
> > 
> 
> 
> ___________________________________________________________________ 
> Consigue tu e-mail gratuito TERRA.COM.CO
> Haz click en http://www1.terra.com.co/correo
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:struts-user-
> unsubscribe@jakarta.apache.org>For additional commands, e-mail: 
> <ma...@jakarta.apache.org>
> 
> 

 ___________________________________________________________________ 
Consigue tu e-mail gratuito TERRA.COM.CO
 Haz click en http://www1.terra.com.co/correo


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>