Re: Switching from HTTPS to HTTP
Yup, it's quite brilliant - I think it should be incorporated into Struts. Marino Adam Hardy [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] sslext works brilliantly with struts and container-managed security. Definitely what you want. You put attributes in your action mappings to tell it whether you want the action mapping under SSL or not. It handles the redirection to / from SSL. Adam On 03/12/2004 03:39 PM Mark Lowe wrote: You could use a filter which without knowing anything about it i imagine what sslext does. Better than hardcoding redirects. jstl may have something to force the scheme also. IMO doing it with mod_rewrite is easier because you any have to worry about your live deployment, but if you're using catalina as your webserver then I guess that you're going to have to configure that. On 12 Mar 2004, at 14:36, Joao Batistella wrote: But, I would like to find a way in Java, not in the web server because, for now, I'm using Tomcat web server. Can I just use a send redirect to a HTTP address?? Ex: sendRedirect(http://myserver/myapp/main.jsp;); -Original Message- From: Mark Lowe [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 12 de março de 2004 13:30 To: Struts Users Mailing List Subject: Re: Switching from HTTPS to HTTP There's some java thingy you can use to do this, sslext or something.. If you are using apache for your webserver you can use mod_rewrite which means less hassle configuring development envionments and such like. Here's an example. NameVirtualHost machinedomain.net:80 VirtualHost www.sparrow.com:80 DocumentRoot /www/www.sparrow.com SSLEngine off RewriteEngine on RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^\/checkout https://%{SERVER_NAME}%{REQUEST_FILENAME} [R,L] RewriteRule ^\/admin https://%{SERVER_NAME}%{REQUEST_FILENAME} [R,L] /VirtualHost Listen *:443 NameVirtualHost [i used the ip here]:443 VirtualHost www.sparrow.com:443 DocumentRoot /www/www.sparrow.com SSLEngine on RewriteEngine on RewriteCond %{SERVER_PORT} ^443$ RewriteRule !^(\/checkout)|(\/admin) http://%{SERVER_NAME}%{REQUEST_FILE NAME} [R,L] SSLCertificateFile /[apache home]/conf/ssl.crt/server.crt SSLCertificateKeyFile /[apache home]/conf/ssl.key/server.key SSLCACertificateFile /[apache home]/conf/ssl.crt/intermediate.ca /VirtualHost and requests containing /admin or /checkout will have https scheme forced those that are not wont. On 12 Mar 2004, at 13:59, Joao Batistella wrote: Hello! In my application the login page uses HTTPS to send username and password to the server. But after that, if login operation succeed, I want to send the user to the main application page using HTTP protocol, not HTTPS. How can I switch? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Switching from HTTPS to HTTP
Hello! In my application the login page uses HTTPS to send username and password to the server. But after that, if login operation succeed, I want to send the user to the main application page using HTTP protocol, not HTTPS. How can I switch? Thanks in advance, JP
Re: Switching from HTTPS to HTTP
There's some java thingy you can use to do this, sslext or something.. If you are using apache for your webserver you can use mod_rewrite which means less hassle configuring development envionments and such like. Here's an example. NameVirtualHost machinedomain.net:80 VirtualHost www.sparrow.com:80 DocumentRoot /www/www.sparrow.com SSLEngine off RewriteEngine on RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^\/checkout https://%{SERVER_NAME}%{REQUEST_FILENAME} [R,L] RewriteRule ^\/admin https://%{SERVER_NAME}%{REQUEST_FILENAME} [R,L] /VirtualHost Listen *:443 NameVirtualHost [i used the ip here]:443 VirtualHost www.sparrow.com:443 DocumentRoot /www/www.sparrow.com SSLEngine on RewriteEngine on RewriteCond %{SERVER_PORT} ^443$ RewriteRule !^(\/checkout)|(\/admin) http://%{SERVER_NAME}%{REQUEST_FILE NAME} [R,L] SSLCertificateFile /[apache home]/conf/ssl.crt/server.crt SSLCertificateKeyFile /[apache home]/conf/ssl.key/server.key SSLCACertificateFile /[apache home]/conf/ssl.crt/intermediate.ca /VirtualHost and requests containing /admin or /checkout will have https scheme forced those that are not wont. On 12 Mar 2004, at 13:59, Joao Batistella wrote: Hello! In my application the login page uses HTTPS to send username and password to the server. But after that, if login operation succeed, I want to send the user to the main application page using HTTP protocol, not HTTPS. How can I switch? Thanks in advance, JP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Switching from HTTPS to HTTP
But, I would like to find a way in Java, not in the web server because, for now, I'm using Tomcat web server. Can I just use a send redirect to a HTTP address?? Ex: sendRedirect(http://myserver/myapp/main.jsp;); -Original Message- From: Mark Lowe [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 12 de março de 2004 13:30 To: Struts Users Mailing List Subject: Re: Switching from HTTPS to HTTP There's some java thingy you can use to do this, sslext or something.. If you are using apache for your webserver you can use mod_rewrite which means less hassle configuring development envionments and such like. Here's an example. NameVirtualHost machinedomain.net:80 VirtualHost www.sparrow.com:80 DocumentRoot /www/www.sparrow.com SSLEngine off RewriteEngine on RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^\/checkout https://%{SERVER_NAME}%{REQUEST_FILENAME} [R,L] RewriteRule ^\/admin https://%{SERVER_NAME}%{REQUEST_FILENAME} [R,L] /VirtualHost Listen *:443 NameVirtualHost [i used the ip here]:443 VirtualHost www.sparrow.com:443 DocumentRoot /www/www.sparrow.com SSLEngine on RewriteEngine on RewriteCond %{SERVER_PORT} ^443$ RewriteRule !^(\/checkout)|(\/admin) http://%{SERVER_NAME}%{REQUEST_FILE NAME} [R,L] SSLCertificateFile /[apache home]/conf/ssl.crt/server.crt SSLCertificateKeyFile /[apache home]/conf/ssl.key/server.key SSLCACertificateFile /[apache home]/conf/ssl.crt/intermediate.ca /VirtualHost and requests containing /admin or /checkout will have https scheme forced those that are not wont. On 12 Mar 2004, at 13:59, Joao Batistella wrote: Hello! In my application the login page uses HTTPS to send username and password to the server. But after that, if login operation succeed, I want to send the user to the main application page using HTTP protocol, not HTTPS. How can I switch? Thanks in advance, JP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Switching from HTTPS to HTTP
Haven't used it but there is a Struts extension for this http://sslext.sourceforge.net Niall - Original Message - From: Joao Batistella [EMAIL PROTECTED] To: 'Struts Users Mailing List' [EMAIL PROTECTED] Sent: Friday, March 12, 2004 1:36 PM Subject: RE: Switching from HTTPS to HTTP But, I would like to find a way in Java, not in the web server because, for now, I'm using Tomcat web server. Can I just use a send redirect to a HTTP address?? Ex: sendRedirect(http://myserver/myapp/main.jsp;); -Original Message- From: Mark Lowe [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 12 de março de 2004 13:30 To: Struts Users Mailing List Subject: Re: Switching from HTTPS to HTTP There's some java thingy you can use to do this, sslext or something.. If you are using apache for your webserver you can use mod_rewrite which means less hassle configuring development envionments and such like. Here's an example. NameVirtualHost machinedomain.net:80 VirtualHost www.sparrow.com:80 DocumentRoot /www/www.sparrow.com SSLEngine off RewriteEngine on RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^\/checkout https://%{SERVER_NAME}%{REQUEST_FILENAME} [R,L] RewriteRule ^\/admin https://%{SERVER_NAME}%{REQUEST_FILENAME} [R,L] /VirtualHost Listen *:443 NameVirtualHost [i used the ip here]:443 VirtualHost www.sparrow.com:443 DocumentRoot /www/www.sparrow.com SSLEngine on RewriteEngine on RewriteCond %{SERVER_PORT} ^443$ RewriteRule !^(\/checkout)|(\/admin) http://%{SERVER_NAME}%{REQUEST_FILE NAME} [R,L] SSLCertificateFile /[apache home]/conf/ssl.crt/server.crt SSLCertificateKeyFile /[apache home]/conf/ssl.key/server.key SSLCACertificateFile /[apache home]/conf/ssl.crt/intermediate.ca /VirtualHost and requests containing /admin or /checkout will have https scheme forced those that are not wont. On 12 Mar 2004, at 13:59, Joao Batistella wrote: Hello! In my application the login page uses HTTPS to send username and password to the server. But after that, if login operation succeed, I want to send the user to the main application page using HTTP protocol, not HTTPS. How can I switch? Thanks in advance, JP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Switching from HTTPS to HTTP
You could use a filter which without knowing anything about it i imagine what sslext does. Better than hardcoding redirects. jstl may have something to force the scheme also. IMO doing it with mod_rewrite is easier because you any have to worry about your live deployment, but if you're using catalina as your webserver then I guess that you're going to have to configure that. On 12 Mar 2004, at 14:36, Joao Batistella wrote: But, I would like to find a way in Java, not in the web server because, for now, I'm using Tomcat web server. Can I just use a send redirect to a HTTP address?? Ex: sendRedirect(http://myserver/myapp/main.jsp;); -Original Message- From: Mark Lowe [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 12 de março de 2004 13:30 To: Struts Users Mailing List Subject: Re: Switching from HTTPS to HTTP There's some java thingy you can use to do this, sslext or something.. If you are using apache for your webserver you can use mod_rewrite which means less hassle configuring development envionments and such like. Here's an example. NameVirtualHost machinedomain.net:80 VirtualHost www.sparrow.com:80 DocumentRoot /www/www.sparrow.com SSLEngine off RewriteEngine on RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^\/checkout https://%{SERVER_NAME}%{REQUEST_FILENAME} [R,L] RewriteRule ^\/admin https://%{SERVER_NAME}%{REQUEST_FILENAME} [R,L] /VirtualHost Listen *:443 NameVirtualHost [i used the ip here]:443 VirtualHost www.sparrow.com:443 DocumentRoot /www/www.sparrow.com SSLEngine on RewriteEngine on RewriteCond %{SERVER_PORT} ^443$ RewriteRule !^(\/checkout)|(\/admin) http://%{SERVER_NAME}%{REQUEST_FILE NAME} [R,L] SSLCertificateFile /[apache home]/conf/ssl.crt/server.crt SSLCertificateKeyFile /[apache home]/conf/ssl.key/server.key SSLCACertificateFile /[apache home]/conf/ssl.crt/intermediate.ca /VirtualHost and requests containing /admin or /checkout will have https scheme forced those that are not wont. On 12 Mar 2004, at 13:59, Joao Batistella wrote: Hello! In my application the login page uses HTTPS to send username and password to the server. But after that, if login operation succeed, I want to send the user to the main application page using HTTP protocol, not HTTPS. How can I switch? Thanks in advance, JP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Switching from HTTPS to HTTP
sslext works brilliantly with struts and container-managed security. Definitely what you want. You put attributes in your action mappings to tell it whether you want the action mapping under SSL or not. It handles the redirection to / from SSL. Adam On 03/12/2004 03:39 PM Mark Lowe wrote: You could use a filter which without knowing anything about it i imagine what sslext does. Better than hardcoding redirects. jstl may have something to force the scheme also. IMO doing it with mod_rewrite is easier because you any have to worry about your live deployment, but if you're using catalina as your webserver then I guess that you're going to have to configure that. On 12 Mar 2004, at 14:36, Joao Batistella wrote: But, I would like to find a way in Java, not in the web server because, for now, I'm using Tomcat web server. Can I just use a send redirect to a HTTP address?? Ex: sendRedirect(http://myserver/myapp/main.jsp;); -Original Message- From: Mark Lowe [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 12 de março de 2004 13:30 To: Struts Users Mailing List Subject: Re: Switching from HTTPS to HTTP There's some java thingy you can use to do this, sslext or something.. If you are using apache for your webserver you can use mod_rewrite which means less hassle configuring development envionments and such like. Here's an example. NameVirtualHost machinedomain.net:80 VirtualHost www.sparrow.com:80 DocumentRoot /www/www.sparrow.com SSLEngine off RewriteEngine on RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^\/checkout https://%{SERVER_NAME}%{REQUEST_FILENAME} [R,L] RewriteRule ^\/admin https://%{SERVER_NAME}%{REQUEST_FILENAME} [R,L] /VirtualHost Listen *:443 NameVirtualHost [i used the ip here]:443 VirtualHost www.sparrow.com:443 DocumentRoot /www/www.sparrow.com SSLEngine on RewriteEngine on RewriteCond %{SERVER_PORT} ^443$ RewriteRule !^(\/checkout)|(\/admin) http://%{SERVER_NAME}%{REQUEST_FILE NAME} [R,L] SSLCertificateFile /[apache home]/conf/ssl.crt/server.crt SSLCertificateKeyFile /[apache home]/conf/ssl.key/server.key SSLCACertificateFile /[apache home]/conf/ssl.crt/intermediate.ca /VirtualHost and requests containing /admin or /checkout will have https scheme forced those that are not wont. On 12 Mar 2004, at 13:59, Joao Batistella wrote: Hello! In my application the login page uses HTTPS to send username and password to the server. But after that, if login operation succeed, I want to send the user to the main application page using HTTP protocol, not HTTPS. How can I switch? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[sslExt] Switching from HTTPS to HTTP and avoiding the You are about to be redirected to a connection.
I'm using Struts1.1rc1 and sslExtRC1-2. BTW, thanks to Steve for this package. There is one caveat however... If you submit a request to the server via HTTPS and that request is redirected to HTTP before returning to the client (server side code does a Response.sendRedirect() switching the protocol from HTTPS to HTTP), then IE and NS7.x display a pop-up security alert. I have found a work around to be to redirect to a page with embedded logic to determine where to send the user and then use the meta HTTP-EQUIV=refresh content=0; url=%=destination% to redirect the user to the appropriate destination. I don't currently see how the sslExt addresses this issue. If it does, can someone please let me know how. robert -Original Message- From: Robert Taylor [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 2:17 PM To: [EMAIL PROTECTED] Subject: [sslEXt] You are about to be redirected to a connection which is not secure I am using Struts1.1rc1 with the sslExtRC1-2. My current requirements don't allow me to have all requests go through the Struts Action servlet. (please don't lecture me on the benefits of all requests going through the controller...you're preachin' to the chior) I have a situation where I need to provide a login form through out my site on pages that are directly accessed via HTTP, although the action attribute for the login form element on those pages is HTTPS (providing secure data transport). Validation error or not, the user is always returned to the page from which they signed in. For MSIE and Netscape 7.02 this causes a security alert to pop-up. MSIE: You are about to be redirected to a connection which is not secure. The information you are sending to the current site might be retransmitted to a nonsecure site. Do you wish to continue? Netscape 7.02: You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party. I have found a work around to be to redirect to a page with embedded logic to determine where to send the user and then use the meta HTTP-EQUIV=refresh content=0; url=%=destination% to redirect the user to the appropriate destination. This seems like such a hack and I was wondering if there is a cleaner solution. robert BTW, I have searched the mailing list archives and Google and have yet to find a cleaner (any) solution. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]