struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject Re: container-managed security and struts
Date Wed, 12 Oct 2005 22:46:50 GMT
Dave Newton on 12/10/05 23:22, wrote:
> Adam Hardy wrote:
>> I tried this 18 months ago and if my memory serves me well, in tomcat 
>> 5, if I switch the request back out of SSL with a redirect or similar, 
>> I can no longer see the SSL session (and am effectively not logged in 
>> anymore).
>> Is there an easy way around this? A javascript encryption routine for 
>> the password or some trick with ssl-ext?
>  <plug-in className="org.apache.struts.action.SecurePlugIn">
>    <set-property property="httpPort" value="8080"/>
>    <set-property property="httpsPort" value="8443"/>     <set-property 
> property="enable" value="true"/>      <set-property 
> property="addSession" value="false"/>
>  </plug-in>
>  From
> "Also added is the ability to configure the "always add Session ID to 
> URL feature". This feature was added in a previous release to compensate 
> for older browsers that do not automatically share sessions between the 
> http and https protocols. If you are sure that this problem will not 
> exist for you, you can now disable this feature through the "addSession" 
> property of the SecurePlugIn (or SecureTilesPlugin). Thanks to all who 
> suggested this enhancement. (Or otherwise complained about the old 
> behavior :-)."

Hi Dave,

unfortunately we are talking about different issues. I should have made 
it clearer but didn't want to make it overcomplicated, and I forgot 
about the issue you outlined, which is ambiguously similar.

The issue that I am tackling is that the servlet container allows the 
logged-in user under SSL to see both the HTTP and the SSL session, but 
outside of SSL, the user can no longer access the SSL session attributes 
(I believe).


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message