You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Scott Cressler <sc...@propel.com> on 2001/04/24 18:35:01 UTC
Submitting from one webapp to another
We're trying to separate the pages in our app into secure and non-secure.
As part of that, we would like to have situations like the login page, the
one that displays the form for getting your username and password, to be in
the non-secure section and the Action that receives the submit from the
login form to be in the secure section. But the <html:form> tag won't let
us do that because it would mean something like this:
<html:form action="https://secure.site.domain/handleLogin.od">
or some such URL. <html:form> appears to expect/require an Action (defined
in your local struts-config.xml file) to be the value of the "action="
attribute.
Why is this required, that is, while it is nice for <html:form> to attempt
to help out when setting up the "action=" of the <form> tag it generates,
why won't it also allow any old URL?
Of course, I could just use my own <form> tag with the correct "action=" to
POST to the secure Action, but I think that means I can't use the rest of
the <html:*> tags, like <html:text>, right?
Is this just a limitation of struts that should/will be addressed? Or are
we trying to do something that we shouldn't try to do? For example, we
could, of course, put both the page to display the form and the Action to
accept it on the same, secure server, but that wasn't the way we wanted to
design things. Are we trying to design it in a bad way, or is struts
unnecessarily limiting us?
Thanks for any info,
Scott
Re: Submitting from one webapp to another
Posted by Ted Husted <hu...@apache.org>.
In general, people expect the page that receives their password to be
secure. When that is the case, the Struts forms operate properly, and
maintains the secure connection.
I believe that if you do this any other way, the password will not be
transmitted by SSL.
The trouble I'm having is getting back out of SSL after they login.
Eric Wong had a suggestion for this at <
http://www.mail-archive.com/struts-user@jakarta.apache.org/msg06454.html
> but I haven't tried to implement it.
Scott Cressler wrote:
>
> We're trying to separate the pages in our app into secure and non-secure.
> As part of that, we would like to have situations like the login page, the
> one that displays the form for getting your username and password, to be in
> the non-secure section and the Action that receives the submit from the
> login form to be in the secure section. But the <html:form> tag won't let
> us do that because it would mean something like this:
>
> <html:form action="https://secure.site.domain/handleLogin.od">
>
> or some such URL. <html:form> appears to expect/require an Action (defined
> in your local struts-config.xml file) to be the value of the "action="
> attribute.
>
> Why is this required, that is, while it is nice for <html:form> to attempt
> to help out when setting up the "action=" of the <form> tag it generates,
> why won't it also allow any old URL?
>
> Of course, I could just use my own <form> tag with the correct "action=" to
> POST to the secure Action, but I think that means I can't use the rest of
> the <html:*> tags, like <html:text>, right?
>
> Is this just a limitation of struts that should/will be addressed? Or are
> we trying to do something that we shouldn't try to do? For example, we
> could, of course, put both the page to display the form and the Action to
> accept it on the same, secure server, but that wasn't the way we wanted to
> design things. Are we trying to design it in a bad way, or is struts
> unnecessarily limiting us?
>
> Thanks for any info,
> Scott