You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Anastasios Patrikis <An...@prodyna.de> on 2008/07/23 12:20:13 UTC

[S2] Using SSL, HTTP, HTTPS and invoking Action classes

Hi,

I have problem in switching my application context from http to https an
back again.
Because I am new to Struts I am not sure if I use the framework the
right way, so any help or hint is greatly appreciated

Here is the task: I have some pages in my application which are
available via http. There is a step in which the user is requested to
enter some personal data, and the user can create a account. This page
should be secured using SSL on a https site. Later on, the user should
be redirected back to http.


First problem: I do not know if the setup for using SSL is "the Struts
way" because it is quiet hard to find information in how to use SSL and
Struts.
However, this is how I configured the application.

- in web.xml I added the action which causes the switch from http to
https:
<security-constraint>
	<web-resource-collection>
		<!-- login -->
		<url-pattern>/Login.action</url-pattern>
	</web-resource-collection>
	<user-data-constraint>
		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
	</user-data-constraint>
</security-constraint>

- in struts.xml I have a definition for the action:
<action name="Login" class="com.action.CustomerLoginAction"
method="userLogin">
      <result name="error">/ErrorPage.jsp</result>
      <result>/LoginPage.jsp</result>
</action>

- as all following request are made in the secured context I wrote a
simple action class for redirecting back to http.

First question is if this is the right way. It seems to be a quiet
complicated solution for a common task.


Second problem: without changing into a secure context (no
"security-constraint" in web.xml) I can call my action class and some
properties are set by the framework calling the appropriate "set"
methods. After applying the "security-constraint" in the web.xml file
the "set" methods are not invoked any more.

Second question: is this the behavior by design? How should I set the
necessary properties, by using session variables? I found an article
which describes a problem by using a session variable in combination
with SSL: http://forums.opensymphony.com/thread.jspa?messageID=130588.
Once again I think my solution is to complicated and this task is
supported by the framework without me knowing how to do it a better way.

Best regards,

Anastasios.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

AW: [S2] Using SSL, HTTP, HTTPS and invoking Action classes

Posted by Anastasios Patrikis <An...@prodyna.de>.

Hi Nuwan,

this is the stuff I was looking for. Just some configuration in struts.xml and a few annotations.
The Struts PlugIs is easy to use, and now everything works as expected.

Thanks a lot,
regards,

	Anastasios.


-----Ursprüngliche Nachricht-----
Von: Nuwan Chandrasoma [mailto:mymailnot@gmail.com] 
Gesendet: Mittwoch, 23. Juli 2008 14:21
An: Struts Users Mailing List
Betreff: Re: [S2] Using SSL, HTTP, HTTPS and invoking Action classes

Hi,

Have a look at this plug-in, it may help you

http://code.google.com/p/struts2-ssl-plugin/

Thanks,

Nuwan



Anastasios Patrikis wrote:
> Hi,
>
> I have problem in switching my application context from http to https an
> back again.
> Because I am new to Struts I am not sure if I use the framework the
> right way, so any help or hint is greatly appreciated
>
> Here is the task: I have some pages in my application which are
> available via http. There is a step in which the user is requested to
> enter some personal data, and the user can create a account. This page
> should be secured using SSL on a https site. Later on, the user should
> be redirected back to http.
>
>
> First problem: I do not know if the setup for using SSL is "the Struts
> way" because it is quiet hard to find information in how to use SSL and
> Struts.
> However, this is how I configured the application.
>
> - in web.xml I added the action which causes the switch from http to
> https:
> <security-constraint>
> 	<web-resource-collection>
> 		<!-- login -->
> 		<url-pattern>/Login.action</url-pattern>
> 	</web-resource-collection>
> 	<user-data-constraint>
> 		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
> 	</user-data-constraint>
> </security-constraint>
>
> - in struts.xml I have a definition for the action:
> <action name="Login" class="com.action.CustomerLoginAction"
> method="userLogin">
>       <result name="error">/ErrorPage.jsp</result>
>       <result>/LoginPage.jsp</result>
> </action>
>
> - as all following request are made in the secured context I wrote a
> simple action class for redirecting back to http.
>
> First question is if this is the right way. It seems to be a quiet
> complicated solution for a common task.
>
>
> Second problem: without changing into a secure context (no
> "security-constraint" in web.xml) I can call my action class and some
> properties are set by the framework calling the appropriate "set"
> methods. After applying the "security-constraint" in the web.xml file
> the "set" methods are not invoked any more.
>
> Second question: is this the behavior by design? How should I set the
> necessary properties, by using session variables? I found an article
> which describes a problem by using a session variable in combination
> with SSL: http://forums.opensymphony.com/thread.jspa?messageID=130588.
> Once again I think my solution is to complicated and this task is
> supported by the framework without me knowing how to do it a better way.
>
> Best regards,
>
> Anastasios.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: [S2] Using SSL, HTTP, HTTPS and invoking Action classes

Posted by Nuwan Chandrasoma <my...@gmail.com>.

Hi,

Have a look at this plug-in, it may help you

http://code.google.com/p/struts2-ssl-plugin/

Thanks,

Nuwan



Anastasios Patrikis wrote:
> Hi,
>
> I have problem in switching my application context from http to https an
> back again.
> Because I am new to Struts I am not sure if I use the framework the
> right way, so any help or hint is greatly appreciated
>
> Here is the task: I have some pages in my application which are
> available via http. There is a step in which the user is requested to
> enter some personal data, and the user can create a account. This page
> should be secured using SSL on a https site. Later on, the user should
> be redirected back to http.
>
>
> First problem: I do not know if the setup for using SSL is "the Struts
> way" because it is quiet hard to find information in how to use SSL and
> Struts.
> However, this is how I configured the application.
>
> - in web.xml I added the action which causes the switch from http to
> https:
> <security-constraint>
> 	<web-resource-collection>
> 		<!-- login -->
> 		<url-pattern>/Login.action</url-pattern>
> 	</web-resource-collection>
> 	<user-data-constraint>
> 		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
> 	</user-data-constraint>
> </security-constraint>
>
> - in struts.xml I have a definition for the action:
> <action name="Login" class="com.action.CustomerLoginAction"
> method="userLogin">
>       <result name="error">/ErrorPage.jsp</result>
>       <result>/LoginPage.jsp</result>
> </action>
>
> - as all following request are made in the secured context I wrote a
> simple action class for redirecting back to http.
>
> First question is if this is the right way. It seems to be a quiet
> complicated solution for a common task.
>
>
> Second problem: without changing into a secure context (no
> "security-constraint" in web.xml) I can call my action class and some
> properties are set by the framework calling the appropriate "set"
> methods. After applying the "security-constraint" in the web.xml file
> the "set" methods are not invoked any more.
>
> Second question: is this the behavior by design? How should I set the
> necessary properties, by using session variables? I found an article
> which describes a problem by using a session variable in combination
> with SSL: http://forums.opensymphony.com/thread.jspa?messageID=130588.
> Once again I think my solution is to complicated and this task is
> supported by the framework without me knowing how to do it a better way.
>
> Best regards,
>
> Anastasios.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org