You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by "Ditlinger, Steve" <SD...@ebuilt.com> on 2002/01/24 18:33:43 UTC

RE: Proposed solution for HTTP vs. HTTPS 


> 		Struts-folk:
> 
> 		Please see the attached file as a demonstration of our
> proposed extensions for Struts.  
> 
> 		In the course of our work, we have had numerous projects
> where it was necessary to switch between using the http & https protocols
> on a page by page basis.  We had a solution which we used in a traditional
> MVC framework with servlets and JSP. We have since switched over to using
> Struts in all of our projects.  Reworking our solution within Struts has
> improved our solution dramatically.
> 
> 		We had noticed that other Struts users had been asking about
> enabling this type of protocol switching.  We thought that you might find
> enough value in what we have done to include our solution as an extension
> to Struts.
> 
> 		The following describes what we have done:
> 
> 		We added a "secure" property to the action tag in the
> struts-config.xml file.  A value of true for this property will specify
> that the request to the action should be transmitted via SSL (https).  We
> defined a class SecureActionMapping that extends the ActionMapping class
> and includes the new "secure" property.
> 
> 		We added two more initialization parameters for
> SecureActionServlet (our extension to ActionServlet).  These parameters,
> http-port and https-port, specify the ports being used by the web
> application for http and https protocols.  These default to 80 & 443,
> respectively.  
> 
> 		We added code to SecureActionServlet which will redirect the
> action if the protocol in the request (http or https) for some reason does
> not match that specified by the value of the "secure" property.  The
> redirect URL will include the correct protocol and port number.   One
> possible reason for the protocols not matching would be the manual entry
> of a URL into a browser client with the wrong protocol specified.
> 
> 		We created SecureLinkTag as an extension to LinkTag to
> prevent unncessary round trips and provide greater security to data
> transmission.  The added capability to this tag is that it checks the
> action mappings for the "secure" property of actions that are specified in
> the link.  If the secure property is true and the current page was
> transmitted using http, the SecureLinkTag creates a link specifying the
> https protocol and https port for the web application.  Similarly, for
> pages transmitted using https that have http links, the http protocol and
> port will be generated by the link tag.  If the protocol for the current
> page matches that of the link specified, a relative link is created in the
> page.   For good measure, we also added a SecureWriteTag.  The FormTag
> should also be changed in the same way.  Other tags which could have
> similar changes change are ImageTag and ImgTag.
> 
> 		We created a new tag which we call PageSchemeTag.  This
> allows developers to specify transmission protocol at the page level.
> While good design would seem to require switching protocols only at the
> action level, this tag comes in handy for pages like the login page,
> especially using container managed security.  As with the actions, this
> tag will cause a redirect if the request protocol does not match the
> protocol specified by the secure attribute.
> 
> 		We also added a bunch of utility methods in our
> SecureRequestUtils class that is an extension of the RequestUtils class.
> 
> 		Also included is a small demo application of the extensions
> we have made for use with Tomcat :
> 		NullAction is the action class that is used in the
> definition of all four actions in the struts-config.xml file.  It places a
> string in the request to be forwarded and displayed in a JSP.  The four
> actions are:
> 		true - an action with the "secure" attribute set to TRUE
> which forwards to true.jsp, a page which does not specify a security
> parameter.
> 		false- an action with the "secure" attribute set to FALSE
> which forwards to false.jsp, a page which does not specify a security
> parameter.
> 		truetag - an action with the "secure" attribute set to FALSE
> which forwards to truetag.jsp, a page which includes the pageScheme tag to
> specify a "secure" attribute of TRUE. 
> 		falsetag - an action with the "secure" attribute set to TRUE
> which forwards to falsetag.jsp,  a page which includes the pageScheme tag
> to specify a "secure" attribute of FALSE. 
> 
> 		Each JSP includes links to the 3 other actions.  The
> SecureLinkTag is used to create these links.  Note that the URL generated
> for each of these links will include any change of protocol and port that
> is required.  
> 
> 		We offer this to developers as an extension to Struts, but
> think that ideally our solution would be incorporated into ActionServlet,
> ActionMapping, LinkTag, etc.  
> 
> 		Please give it a try and let us know what you think.  We
> will post again once we have added our extension to FormTag.
> 
> 		Please feel free to ask us any questions or give us any
> comments or suggestions that you may have about this solution.
> 
> 
> 		Sincerely,
> 
> 		Max Cooper
> 		Steve Ditlinger
> 		Prakash Malani
> 		Danny Trieu
> 
> 		eBuilt, Inc.
> 		Irvine, CA
> 
> 		 <<sslext.jar>> 
> 
>