struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: container-managed security and struts
Date Wed, 12 Oct 2005 22:46:50 GMT
Dave Newton on 12/10/05 23:22, wrote:
> Adam Hardy wrote:
> 
>> I tried this 18 months ago and if my memory serves me well, in tomcat 
>> 5, if I switch the request back out of SSL with a redirect or similar, 
>> I can no longer see the SSL session (and am effectively not logged in 
>> anymore).
>>
>> Is there an easy way around this? A javascript encryption routine for 
>> the password or some trick with ssl-ext?
> 
> 
>  <plug-in className="org.apache.struts.action.SecurePlugIn">
>    <set-property property="httpPort" value="8080"/>
>    <set-property property="httpsPort" value="8443"/>     <set-property 
> property="enable" value="true"/>      <set-property 
> property="addSession" value="false"/>
>  </plug-in>
> 
>  From sslext.sourceforge.net:
> 
> "Also added is the ability to configure the "always add Session ID to 
> URL feature". This feature was added in a previous release to compensate 
> for older browsers that do not automatically share sessions between the 
> http and https protocols. If you are sure that this problem will not 
> exist for you, you can now disable this feature through the "addSession" 
> property of the SecurePlugIn (or SecureTilesPlugin). Thanks to all who 
> suggested this enhancement. (Or otherwise complained about the old 
> behavior :-)."

Hi Dave,

unfortunately we are talking about different issues. I should have made 
it clearer but didn't want to make it overcomplicated, and I forgot 
about the issue you outlined, which is ambiguously similar.

The issue that I am tackling is that the servlet container allows the 
logged-in user under SSL to see both the HTTP and the SSL session, but 
outside of SSL, the user can no longer access the SSL session attributes 
(I believe).

Adam

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message