sslext

[Jim Reynolds <ji...@gmail.com>]

Having the need to switch between http and https in a project I am
working on with struts as the framework, I have run into some issues
in regards to accomplishing this task.

If I use the action mapping and forward to a full url specifying the
type [http, https], then I have to do a redirect, and then the jsp
page shows up in the url, and that is not good. So I hate that idea.

Then I found the sslext at sourceforge ... but cannot find any
information on how this works, how to configure, etc. And the mailing
lists look like a ghost town.


So I am hoping possibly someone on this list has or is using the
sslext, and possibly has some ideas how this fits together.

If so, please let me know, and maybe someone could give me a overview
of what I need to do to get this working. Otherwise, it looks like a
<security constraint> for the whole app and I do not want to do that.

Regards.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: sslext

[Dave Newton <ne...@pingsite.com>]

Jim Reynolds wrote:

>Then I found the sslext at sourceforge ... but cannot find any
>information on how this works, how to configure, etc. And the mailing
>lists look like a ghost town.
>  
>
http://struts.apache.org/struts-doc-1.2.x/faqs/ssl.html



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

RE: sslext

[Daniel Perry <d....@netcase.co.uk>]

> If I use the action mapping and forward to a full url specifying the
> type [http, https], then I have to do a redirect, and then the jsp
> page shows up in the url, and that is not good. So I hate that idea.

Why does the jsp have to show up in the url?  Why not redirect to a full
struts url, eg, http://foo.com/bar/action1.do redirects to
https://foo.com/bar/action2.do and action 2 forwards to a jsp.

I had this same issue last week - log on page had to be ssl, but rest of
site not.  So, i just make the link to login.do a full link inc https and
sessionid, and make the login success forward redirect to the non ssl full
link.  Worked a treat.

The biggest problem i came accross was that the site runs on www.foo.com,
but ssl is on foo.com, and tomcat doesnt seem to let you set a domain for
session cookies (PLEASE TELL ME IF I AM WRONG!!!), so i had to bodge it: i
added a servlet filter that checks for a session, and if it's new, sets an
extra cookie for the base domain.


> Then I found the sslext at sourceforge ... but cannot find any
> information on how this works, how to configure, etc. And the mailing
> lists look like a ghost town.

Never used it so i cant comment.

Daniel.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org