Rob, You are absolutely correct that that is an issue. Our proposed solution for it is to modify (or extend until this functionality is integrated into Struts) the Struts form tag as you suggest, so that it will compute the right URL, which may be an absolute https URL if the target action is secure.
The primary mechanism for doing the HTTP/HTTPS switching is the extended tags that compute the proper URL. The redirecting stuff is secondary and only there in the case that someone makes an errant request (by typing the URL, bad bookmark, etc.). -Max ----- Original Message ----- From: "Robert Scaduto" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, February 05, 2002 2:22 PM Subject: RE: Implementing HTTPS in Struts > Steve, > > Thank you for your response. I have taken a look at your https framework > and I it looks great. I do have one concern though. > > In looking through the code I noticed that if a non-secure request comes in > to a action marked as secure, the framework will persist the request > attributes in the session and tell the browser to re-direct using https. > However this allows the parameters in the form or querystring to go across > the network un-encrypted before the framework can perform the redirect. > > My thought was that the same SecureRequestUtils.computeURL() function should > also be used by the form tag to determine, before the form is rendered, that > the post should be transmitted via https. This would require subclassing > the struts FormTag as well. > > Am I totally off base here? > > -Rob > > -----Original Message----- > From: Ditlinger, Steve [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 01, 2002 7:30 PM > To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' > Cc: '[EMAIL PROTECTED]' > Subject: Re: Implementing HTTPS in Struts > > > > Robert: > > We recently posted just such a solution. Check it out at > http://struts.ditlinger.com. There you will find a description of our > solution and a link to download our Struts extensions and example app. If > you have any questions, please do not hesitate to ask. > > Steve > > > >You wrote: > --------------- > Hello all, my name is Rob Scaduto and I have just recently joined the Struts > user mailing list. I have yet to find any resources talking about how to > handle switching between http and https (and vice versa) using struts. The > only solution I was able to come up with was sub classing the Struts LinkTag > and adding a secure attribute. This would then dynamically build an absolute > path based on the jsp. This works great when you use the forward or page > attribute, but doesn't work at all if you use the href attribute. I'd like > to have a solution that works in all cases and I was curious if someone > could add some insight. Thanks in advance, Rob > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
