struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Scaduto" <rscad...@douwantit.com>
Subject RE: Implementing HTTPS in Struts
Date Wed, 06 Feb 2002 14:49:42 GMT
Thanks, Max,

In the mean time as a work around I will just mark the action called before
any secure data is posted is also secure, ensuring that the data is sent
encrypted.

Thanks Again,

Rob

-----Original Message-----
From: Max Cooper [mailto:max@maxcooper.com]
Sent: Tuesday, February 05, 2002 7:04 PM
To: Struts Users Mailing List
Subject: Re: Implementing HTTPS in Struts


Rob,

You are absolutely correct that that is an issue. Our proposed solution for
it is to modify (or extend until this functionality is integrated into
Struts) the Struts form tag as you suggest, so that it will compute the
right URL, which may be an absolute https URL if the target action is
secure.

The primary mechanism for doing the HTTP/HTTPS switching is the extended
tags that compute the proper URL. The redirecting stuff is secondary and
only there in the case that someone makes an errant request (by typing the
URL, bad bookmark, etc.).

-Max

----- Original Message -----
From: "Robert Scaduto" <rscaduto@douwantit.com>
To: "Struts Users Mailing List" <struts-user@jakarta.apache.org>
Sent: Tuesday, February 05, 2002 2:22 PM
Subject: RE: Implementing HTTPS in Struts


> Steve,
>
> Thank you for your response.  I have taken a look at your https framework
> and I it looks great. I do have one concern though.
>
> In looking through the code I noticed that if a non-secure request comes
in
> to a action marked as secure, the framework will persist the request
> attributes in the session and tell the browser to re-direct using https.
> However this allows the parameters in the form or querystring to go across
> the network un-encrypted before the framework can perform the redirect.
>
> My thought was that the same SecureRequestUtils.computeURL() function
should
> also be used by the form tag to determine, before the form is rendered,
that
> the post should be transmitted via https.  This would require subclassing
> the struts FormTag as well.
>
> Am I totally off base here?
>
> -Rob
>
> -----Original Message-----
> From: Ditlinger, Steve [mailto:SDitlinger@ebuilt.com]
> Sent: Friday, February 01, 2002 7:30 PM
> To: 'rscaduto@bellsouth.net'; 'struts-user@jakarta.apache.org'
> Cc: 'max@maxcooper.com'
> Subject: Re: Implementing HTTPS in Struts
>
>
>
> Robert:
>
> We recently posted just such a solution.  Check it out at
> http://struts.ditlinger.com.  There you will find a description of our
> solution and a link to download our Struts extensions and example app.  If
> you have any questions, please do not hesitate to ask.
>
> Steve
>
>
> >You wrote:
> ---------------
> Hello all, my name is Rob Scaduto and I have just recently joined the
Struts
> user mailing list. I have yet to find any resources talking about how to
> handle switching between http and https (and vice versa) using struts. The
> only solution I was able to come up with was sub classing the Struts
LinkTag
> and adding a secure attribute. This would then dynamically build an
absolute
> path based on the jsp. This works great when you use the forward or page
> attribute, but doesn't work at all if you use the href attribute. I'd like
> to have a solution that works in all cases and I was curious if someone
> could add some insight. Thanks in advance, Rob
>
>
> --
> To unsubscribe, e-mail:
> <mailto:struts-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:struts-user-help@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail:
<mailto:struts-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:struts-user-help@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:
<mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:struts-user-help@jakarta.apache.org>


--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message