You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Ditlinger, Steve" <SD...@ebuilt.com> on 2002/03/18 22:04:51 UTC

RE: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's ext. )

Good!

I don't think there is any way of eliminating the pop-up message (except by
the browser user disabling it) since you are in fact redirecting from a
secure to a non-secure page.

We have been thinking of changing the extension so that the "secure"
property has 3 possible values: SECURE (for https), NON-SECURE (for http)
and WHATEVER (to accept either protocol).  Using the WHATEVER value would
help cut down on those message dialogs.  Do you think this would be
worthwhile?

Steve

-----Original Message-----
From: jorisumu [mailto:jorisumu@terra.com.co]
Sent: Monday, March 18, 2002 11:57 AM
To: Ditlinger Steve
Subject: Re: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's
ext.)


Well it worked! :-D

After adding the redirect="true" attribute to the forward definition 
the login are not present anymore in the transmition. But I still get 
the pop-up message though. I guess I can live with this for now.

Thanks a lot!

Jorge

----- Mensaje original -----
De: "Ditlinger, Steve" <SD...@ebuilt.com>
Fecha: Lunes, Marzo 18, 2002 1:18 pm
Asunto: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's ext.)

> If you change the forward definition to this:
> 
> <global-forwards>.....
> <forward name="account.fwd" path=
> ...</global-forwards>
> 
> you should eliminate the presence of the logon parameters in the query
> string.
> 
> The extension we wrote redirects a page using the correct protocol (if
> necessary).  One of the consequences of a redirect is the loss of 
> postedparameters.  For this reason, in our extension, we put 
> posted parameters
> into the query string.  This can be annoying in many cases and 
> just bad in
> other cases such as for login parameters (like yours).  
> 
> In your case, after you have executed logonAction, you shouldn't 
> need the
> login parameters any more, but when you forward to the non-secured 
> action,our extension will try to save them in the query string.  
> By specifying
> "redirect=true" in the forward, you will cause Struts to use 
> redirect rather
> than forward when it requests "account.do", which will clean out 
> the logon
> attributes before our extension ever has a chance to redirect 
> using the
> non-secure protocol.
> 
> hth,
> Steve
> 
> 
> -----Original Message-----
> From: jorisumu [mailto:jorisumu@terra.com.co]
> Sent: Thursday, March 14, 2002 4:49 PM
> To: struts-user@jakarta.apache.org
> Subject: Big Problem Dealing with SSL!! (Using S. Ditlinger's ext.)
> 
> 
> Hi all!
> 
> I discover a few days ago the famous article at JavaWorld by Steve 
> Ditlinger (http://www.javaworld.com/javaworld/jw-02-2002/jw-0215-
> ssl.html).
> 
> Then after looking at the archives of this mail-list I discovered 
> HE 
> actually made an implementation of the ideas expressed on the 
> article 
> as a struts extension (http://struts.ditlinger.com).
> 
> Well, I'm in the middle of the development of a web-app using 
> Struts. 
> So I decided to try it! Thanks Steve, is really cool!!! It gave me 
> a 
> little trouble on the beggining, but were about just config 
> issues. (I 
> trully encourage you to document the extension a little more ;-) ).
> 
> Now I have a little problem: I have this logon action defined in 
> my 
> struts-config.xml:
> 
> <action path="/logon"
>              type="com.factoringmarket.web.LogonAction"
>              name="logonForm"
>              scope="request"
>              input="/logon.jsp">
>        <set-property property="secure" value="true"/>
>       
> 
> That call it from my jsp this way:
> 
> <sslext:form action="/logon" focus="membername">
> .......
> </sslext:form>
> 
> My problem comes when in the LogonAction's perform() I return a 
> forward 
> to a non-secure page that is actually defined in the struts-
> config.xml 
> file as a global forward like this: 
> <global-forwards>.....
> <forward name="account.fwd" path=
> ...</global-forwards>
> 
> Then I got the pop-up message in the browser: "You are about to be 
> redirected to a connection that is not secure. The information you 
> are 
> sending to the current site might be retransmitted to a nonsecure 
> site. 
> Do you wish to continue?" So I got curious and checked the 
> transmition 
> with a protocol analizer and I can clearly see in the 
> transmition: "GE
> So I'm confused... Why's happening this? what am I doing wrog? How 
> can 
> avoid this retransmition? :-O
> 
> Thanks a lot guys!
> 
> 
> ___________________________________________________________________ 
> Consigue tu e-mail gratuito TERRA.COM.CO
> Haz click en http://www1.terra.com.co/correo
> 
> 

 ___________________________________________________________________ 
Consigue tu e-mail gratuito TERRA.COM.CO
 Haz click en http://www1.terra.com.co/correo


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>