You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Ditlinger, Steve" <SD...@ebuilt.com> on 2002/03/18 22:04:51 UTC
RE: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's ext.
)
Good!
I don't think there is any way of eliminating the pop-up message (except by
the browser user disabling it) since you are in fact redirecting from a
secure to a non-secure page.
We have been thinking of changing the extension so that the "secure"
property has 3 possible values: SECURE (for https), NON-SECURE (for http)
and WHATEVER (to accept either protocol). Using the WHATEVER value would
help cut down on those message dialogs. Do you think this would be
worthwhile?
Steve
-----Original Message-----
From: jorisumu [mailto:jorisumu@terra.com.co]
Sent: Monday, March 18, 2002 11:57 AM
To: Ditlinger Steve
Subject: Re: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's
ext.)
Well it worked! :-D
After adding the redirect="true" attribute to the forward definition
the login are not present anymore in the transmition. But I still get
the pop-up message though. I guess I can live with this for now.
Thanks a lot!
Jorge
----- Mensaje original -----
De: "Ditlinger, Steve" <SD...@ebuilt.com>
Fecha: Lunes, Marzo 18, 2002 1:18 pm
Asunto: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's ext.)
> If you change the forward definition to this:
>
> <global-forwards>.....
> <forward name="account.fwd" path=
> ...</global-forwards>
>
> you should eliminate the presence of the logon parameters in the query
> string.
>
> The extension we wrote redirects a page using the correct protocol (if
> necessary). One of the consequences of a redirect is the loss of
> postedparameters. For this reason, in our extension, we put
> posted parameters
> into the query string. This can be annoying in many cases and
> just bad in
> other cases such as for login parameters (like yours).
>
> In your case, after you have executed logonAction, you shouldn't
> need the
> login parameters any more, but when you forward to the non-secured
> action,our extension will try to save them in the query string.
> By specifying
> "redirect=true" in the forward, you will cause Struts to use
> redirect rather
> than forward when it requests "account.do", which will clean out
> the logon
> attributes before our extension ever has a chance to redirect
> using the
> non-secure protocol.
>
> hth,
> Steve
>
>
> -----Original Message-----
> From: jorisumu [mailto:jorisumu@terra.com.co]
> Sent: Thursday, March 14, 2002 4:49 PM
> To: struts-user@jakarta.apache.org
> Subject: Big Problem Dealing with SSL!! (Using S. Ditlinger's ext.)
>
>
> Hi all!
>
> I discover a few days ago the famous article at JavaWorld by Steve
> Ditlinger (http://www.javaworld.com/javaworld/jw-02-2002/jw-0215-
> ssl.html).
>
> Then after looking at the archives of this mail-list I discovered
> HE
> actually made an implementation of the ideas expressed on the
> article
> as a struts extension (http://struts.ditlinger.com).
>
> Well, I'm in the middle of the development of a web-app using
> Struts.
> So I decided to try it! Thanks Steve, is really cool!!! It gave me
> a
> little trouble on the beggining, but were about just config
> issues. (I
> trully encourage you to document the extension a little more ;-) ).
>
> Now I have a little problem: I have this logon action defined in
> my
> struts-config.xml:
>
> <action path="/logon"
> type="com.factoringmarket.web.LogonAction"
> name="logonForm"
> scope="request"
> input="/logon.jsp">
> <set-property property="secure" value="true"/>
>
>
> That call it from my jsp this way:
>
> <sslext:form action="/logon" focus="membername">
> .......
> </sslext:form>
>
> My problem comes when in the LogonAction's perform() I return a
> forward
> to a non-secure page that is actually defined in the struts-
> config.xml
> file as a global forward like this:
> <global-forwards>.....
> <forward name="account.fwd" path=
> ...</global-forwards>
>
> Then I got the pop-up message in the browser: "You are about to be
> redirected to a connection that is not secure. The information you
> are
> sending to the current site might be retransmitted to a nonsecure
> site.
> Do you wish to continue?" So I got curious and checked the
> transmition
> with a protocol analizer and I can clearly see in the
> transmition: "GE
> So I'm confused... Why's happening this? what am I doing wrog? How
> can
> avoid this retransmition? :-O
>
> Thanks a lot guys!
>
>
> ___________________________________________________________________
> Consigue tu e-mail gratuito TERRA.COM.CO
> Haz click en http://www1.terra.com.co/correo
>
>
___________________________________________________________________
Consigue tu e-mail gratuito TERRA.COM.CO
Haz click en http://www1.terra.com.co/correo
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>