Hmm. I've been trying to figure out what to do for my login pages since I've just upgraded from tomcat 4 to 5 and the strategy I was using before won't work anymore, plus I had a bug in mozilla which was caching the login page, so consequently my whole login strategy and use of sslext is a bit of a mess at the moment.
But I bet that you can do what you want. What you are saying is that you want:
(1) a link on a normal page with the URL appearing on the page as "https://www.me.com:8456/tralala";
(2) the subsequent page to appear encrypted
(3) you submit an SSL POST
(4) you receive a non-encrypted HTTP page
You realise of course that going directly in one step from 3 to 4 is an internet impossibility. The server must send your browser in-between, i.e. step 3.5, a re-direct to tell it to request an non-SSL HTTP page.
I don't use hotmail but I looked at what eBay does and it was too involved to work out quite what they were doing. Request and re-directs flying around everywhere. I suspect hotmail would be the same.
Adam
On 10/20/2003 03:14 PM Brian McSweeney wrote:
Thanks for the reply Adam. I'll address your tips one by one.
I don't use the sslext form tags. I don't mention sslext anywhere in
my
code or my JSP. It's purely a configuration thing.
Ok, this I did differently. I followed the examples downloaded with
sslext And used
<sslext:form ... instead of <html:form >
Now the weird thing is - I changed this back to <html:form> to try to do
what you do, but now it doesn't even use ssl at all!
If I change back to sslext, it uses ssl but never switches back to plain http.
Are you setting up the SecurePlugin in struts-config?
Yes.
Also are sure that you are not specifying in the web.xml that the
page
should be protected by SSL?
Yes.
Do you have the latest version of sslext? They brought out 1.10-3
recently.
Yes, that's the version I have.
Are you sure there are no exceptions buried in your logs anywhere?
Checked that, everything looks ok
I don't follow your hotmail example either. Are you talking about
container-managed logins or roll-your-own?
Login or some other action, it doesn't matter. I used the hotmail
example because it allows you to call an action over https, but the resulting
html page gets displayed over http. This is because the flow of hotmail
is
login page (over http) --> run login action (over https) --> display my account.html page (over http again). So it switches back out of ssl for the result of the action.
Now if I've understood what you have said to me correctly, this couldn't happen with sslext. Because we would have to invoke a second action which had the parameter
<set-property property="secure" value="false"/>
in order to get out of ssl after invoking any secure action.
Hope you understood this, And thanks very much for all your help,
Brian
-----Original Message-----
From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 20 October 2003 11:43
To: Struts Users Mailing List
Subject: Re: Help setting up sslext
Hi Brian,
I don't use the sslext form tags. I don't mention sslext anywhere in my code or my JSP. It's purely a configuration thing.
Are you setting up the SecurePlugin in struts-config?
Also are sure that you are not specifying in the web.xml that the page should be protected by SSL?
Do you have the latest version of sslext? They brought out 1.10-3 recently.
Are you sure there are no exceptions buried in your logs anywhere?
I don't follow your hotmail example either. Are you talking about container-managed logins or roll-your-own?
Adam
On 10/20/2003 12:41 PM Brian McSweeney wrote:
It still isn't switching back to http for other actions when I specify
<set-property property="secure" value="false"/>
Perhaps I have to replace all <html:form tags with
<sslext:form tags even when
<set-property property="secure" value="false"/>
At any rate, it doesn't seem to work the way I thought it would.
For example, if you log into hotmail, it sends the username and password over ssl, and then switches back to http for the resulting pages. This it would seem is impossible to do with sslext because in order to switch back to http, you must call another action which has:
<set-property property="secure" value="false"/>
Correct me if I'm wrong with any of this.
Thanks for all the help, Brian
-----Original Message-----
From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 18 October 2003 09:29
To: Struts Users Mailing List
Subject: Re: Help setting up sslext
The only time the protocol switches automatically (read: tomcat
switches
it automatically) is when you specify SSL in the web.xml for a URL.<param-value>org.apache.struts.action.SecureActionMapping</param-value>
To get it to switch back from SSL into unencrypted, putting
<set-property property="secure" value="false"/>
in the action mapping is necessary.
HTH Adam
On 10/17/2003 04:53 PM Brian McSweeney wrote:
I've put in the change in the action-mappings in the struts-config.xml file
<action-mappings type="org.apache.struts.config.SecureActionConfig">
but the problem is, ssl doesn't seem to be switching at all. The action runs in https when I say it should, but all other actions then continue to run in https. I was under the impression that they'd switch back to normal http. Is this not correct?
-----Original Message----- From: Adam Hardy On 10/16/2003 05:13 PM Brian McSweeney wrote:
a) Change the action-mappings in the struts-config.xml file <action-mappings
type="org.apache.struts.config.SecureActionConfig">
b) Change the web.xml file as follows: <servlet-name>action</servlet-name>
<servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
<!-- Struts Config --> <init-param> <param-name>config</param-name> <param-value>/WEB-INF/struts-config.xml</param-value> </init-param>
<init-param> <param-name>mapping</param-name>
</init-param>
could someone tell me if either of these steps are necessary, or what else is necessary?
Hi Brian, your (a) is definitely necessary to enable this:
<action path="/staticjavascriptssl" forward="/WEB-INF/general/staticjavascript.jsp"> <set-property
property="secure" value="true"/> </action>
I have not used, or heard of before, your (b). Perhaps it has the same effect as (a).
-- -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
