For some reason the attachment was stripped out of the email. Here is the
patch:
diff -ruN current\org\apache\struts\action\SecurePlugIn.java
new\org\apache\struts\action\SecurePlugIn.java
--- current\org\apache\struts\action\SecurePlugIn.java Sat Sep 18 11:59:04 2004
+++ new\org\apache\struts\action\SecurePlugIn.java Thu Oct 27 17:01:33 2005
@@ -1,7 +1,7 @@
/*
- * $Header:
/cvsroot/sslext/sslext120/src/org/apache/struts/action/SecurePlugIn.java,v
1.1.1.1 2004/09/18 19:59:04 ditling Exp $
+ * $Header:
/data/repository/./sslext/src/java/org/apache/struts/action/SecurePlugIn.java,v
1.1.1.1 2005/10/28 00:01:33 dshimy Exp $
* $Revision: 1.1.1.1 $
- * $Date: 2004/09/18 19:59:04 $
+ * $Date: 2005/10/28 00:01:33 $
*
* ====================================================================
*
@@ -90,6 +90,8 @@
protected String httpPort = DEFAULT_HTTP_PORT;
protected String httpsPort = DEFAULT_HTTPS_PORT;
protected String enable = DEFAULT_ENABLE;
+ protected String addSessionHttp = DEAFULT_ADD_SESSION_HTTP;
+ protected String httpRedirectPage = null;
private Log sLog = LogFactory.getLog(SecurePlugIn.class);
@@ -162,6 +164,26 @@
*/
public void destroy() {
servlet.getServletContext().removeAttribute(SECURE_PLUGIN);
+ }
+
+ public String getHttpRedirectPage() {
+ return httpRedirectPage;
+ }
+
+ public void setHttpRedirectPage(String httpRedirectPage) {
+ this.httpRedirectPage = httpRedirectPage;
+ }
+
+ public boolean getSslExtAddSessionHttp() {
+ return Boolean.valueOf(getAddSessionHttp()).booleanValue();
+ }
+
+ public String getAddSessionHttp() {
+ return addSessionHttp;
+ }
+
+ public void setAddSessionHttp(String addSessionHttp) {
+ this.addSessionHttp = addSessionHttp;
}
public void setHttpsPort(String s) {
diff -ruN current\org\apache\struts\action\SecurePlugInInterface.java
new\org\apache\struts\action\SecurePlugInInterface.java
--- current\org\apache\struts\action\SecurePlugInInterface.java Sat Sep 18
11:59:04 2004
+++ new\org\apache\struts\action\SecurePlugInInterface.java Thu Oct 27
17:01:33 2005
@@ -1,7 +1,7 @@
/*
- * $Header:
/cvsroot/sslext/sslext120/src/org/apache/struts/action/SecurePlugInInterface.java,v
1.1.1.1 2004/09/18 19:59:04 ditling Exp $
+ * $Header:
/data/repository/./sslext/src/java/org/apache/struts/action/SecurePlugInInterface.java,v
1.1.1.1 2005/10/28 00:01:33 dshimy Exp $
* $Revision: 1.1.1.1 $
- * $Date: 2004/09/18 19:59:04 $
+ * $Date: 2005/10/28 00:01:33 $
*
* ====================================================================
*
@@ -73,10 +73,12 @@
public interface SecurePlugInInterface extends PlugIn {
static public final String SECURE_PLUGIN =
"org.apache.struts.action.SecurePlugIn-Instance";
+ static public final String SSLEXT_REDIRECT_URL = "sslext_redirect_url";
static final String DEFAULT_HTTP_PORT = "80";
static final String DEFAULT_HTTPS_PORT = "443";
static final String DEFAULT_ENABLE = "true";
static final String DEFAULT_ADD_SESSION = "true";
+ static final String DEAFULT_ADD_SESSION_HTTP = "true";
public String getHttpsPort();
@@ -89,4 +91,9 @@
public boolean getSslExtEnable();
public boolean getSslExtAddSession();
+
+ public boolean getSslExtAddSessionHttp();
+
+ public String getHttpRedirectPage();
+
}
diff -ruN current\org\apache\struts\action\SecureTilesRequestProcessor.java
new\org\apache\struts\action\SecureTilesRequestProcessor.java
--- current\org\apache\struts\action\SecureTilesRequestProcessor.java Sat Sep
18 11:59:06 2004
+++ new\org\apache\struts\action\SecureTilesRequestProcessor.java Thu Oct
27 17:01:33 2005
@@ -1,7 +1,7 @@
/*
- * $Header:
/cvsroot/sslext/sslext120/src/org/apache/struts/action/SecureTilesRequestProcessor.java,v
1.1.1.1 2004/09/18 19:59:05 ditling Exp $
+ * $Header:
/data/repository/./sslext/src/java/org/apache/struts/action/SecureTilesRequestProcessor.java,v
1.1.1.1 2005/10/28 00:01:33 dshimy Exp $
* $Revision: 1.1.1.1 $
- * $Date: 2004/09/18 19:59:05 $
+ * $Date: 2005/10/28 00:01:33 $
*
* ====================================================================
*
diff -ruN current\org\apache\struts\config\SecureActionConfig.java
new\org\apache\struts\config\SecureActionConfig.java
--- current\org\apache\struts\config\SecureActionConfig.java Sat Sep 18
11:59:06 2004
+++ new\org\apache\struts\config\SecureActionConfig.java Thu Oct 27
17:01:33 2005
@@ -1,7 +1,7 @@
/*
- * $Header:
/cvsroot/sslext/sslext120/src/org/apache/struts/config/SecureActionConfig.java,v
1.1.1.1 2004/09/18 19:59:05 ditling Exp $
+ * $Header:
/data/repository/./sslext/src/java/org/apache/struts/config/SecureActionConfig.java,v
1.1.1.1 2005/10/28 00:01:33 dshimy Exp $
* $Revision: 1.1.1.1 $
- * $Date: 2004/09/18 19:59:05 $
+ * $Date: 2005/10/28 00:01:33 $
*
* ====================================================================
*
diff -ruN current\org\apache\struts\tiles\SecureTilesPlugin.java
new\org\apache\struts\tiles\SecureTilesPlugin.java
--- current\org\apache\struts\tiles\SecureTilesPlugin.java Sat Sep 18
11:59:08 2004
+++ new\org\apache\struts\tiles\SecureTilesPlugin.java Thu Oct 27 17:01:33 2005
@@ -1,7 +1,7 @@
/*
- * $Header:
/cvsroot/sslext/sslext120/src/org/apache/struts/tiles/SecureTilesPlugin.java,v
1.1.1.1 2004/09/18 19:59:07 ditling Exp $
+ * $Header:
/data/repository/./sslext/src/java/org/apache/struts/tiles/SecureTilesPlugin.java,v
1.1.1.1 2005/10/28 00:01:33 dshimy Exp $
* $Revision: 1.1.1.1 $
- * $Date: 2004/09/18 19:59:07 $
+ * $Date: 2005/10/28 00:01:33 $
*
* ====================================================================
*
@@ -85,6 +85,8 @@
protected String httpPort = DEFAULT_HTTP_PORT;
protected String httpsPort = DEFAULT_HTTPS_PORT;
protected String enable = DEFAULT_ENABLE;
+ protected String addSessionHttp = DEAFULT_ADD_SESSION_HTTP;
+ protected String httpRedirectPage = null;
protected String resourceName = "org.apache.struts.action.SecureResources";
protected MessageResources resources = null;
@@ -104,6 +106,26 @@
public void destroy() {
super.destroy();
servlet.getServletContext().removeAttribute(SECURE_PLUGIN);
+ }
+
+ public String getHttpRedirectPage() {
+ return httpRedirectPage;
+ }
+
+ public void setHttpRedirectPage(String httpRedirectPage) {
+ this.httpRedirectPage = httpRedirectPage;
+ }
+
+ public boolean getSslExtAddSessionHttp() {
+ return Boolean.valueOf(getAddSessionHttp()).booleanValue();
+ }
+
+ public String getAddSessionHttp() {
+ return addSessionHttp;
+ }
+
+ public void setAddSessionHttp(String addSessionHttp) {
+ this.addSessionHttp = addSessionHttp;
}
public void setHttpsPort(String s) {
diff -ruN current\org\apache\struts\util\SecureRequestUtils.java
new\org\apache\struts\util\SecureRequestUtils.java
--- current\org\apache\struts\util\SecureRequestUtils.java Sun Sep 26
16:02:24 2004
+++ new\org\apache\struts\util\SecureRequestUtils.java Thu Oct 27 17:01:33 2005
@@ -1,7 +1,7 @@
/*
- * $Header:
/cvsroot/sslext/sslext120/src/org/apache/struts/util/SecureRequestUtils.java,v
1.2 2004/09/27 00:02:23 ditling Exp $
- * $Revision: 1.2 $
- * $Date: 2004/09/27 00:02:23 $
+ * $Header:
/data/repository/./sslext/src/java/org/apache/struts/util/SecureRequestUtils.java,v
1.1.1.1 2005/10/28 00:01:33 dshimy Exp $
+ * $Revision: 1.1.1.1 $
+ * $Date: 2005/10/28 00:01:33 $
*
* ====================================================================
*
@@ -171,21 +171,26 @@
securePlugin.getHttpsPort() :
securePlugin.getHttpPort();
- // If scheme and port we are using do not match the ones we want
- if ((!desiredScheme.equals(usingScheme) ||
!desiredPort.equals(usingPort))) {
- url.insert(0, startNewUrlString(request, desiredScheme,
desiredPort));
-
- // This is a hack to help us overcome the problem that some
- // older browsers do not share sessions between http & https
- // If this feature is disabled, session ID could still be added
by
- // the previous call to the RequestUtils.computeURL() method,
- // but only if needed due to cookies disabled, etc.
- if (securePlugin.getSslExtAddSession() &&
url.toString().indexOf(";jsessionid=") < 0) {
- // Add the session identifier
- url = new StringBuffer(toEncoded(url.toString(),
-
request.getSession().getId()));
- }
- }
+ // If scheme and port we are using do not match the ones we want
+ if ((!desiredScheme.equals(usingScheme) ||
!desiredPort.equals(usingPort))) {
+ url.insert(0, startNewUrlString(request, desiredScheme,
desiredPort));
+
+ boolean addSession = securePlugin.getSslExtAddSession();
+ if (desiredScheme.equals(HTTP) &&
securePlugin.getSslExtAddSessionHttp()) {
+ addSession = true;
+ }
+
+ // This is a hack to help us overcome the problem that some
+ // older browsers do not share sessions between http & https
+ // If this feature is disabled, session ID could still be
added by
+ // the previous call to the RequestUtils.computeURL() method,
+ // but only if needed due to cookies disabled, etc.
+ if (addSession && url.toString().indexOf(";jsessionid=") < 0)
{
+ // Add the session identifier
+ url = new StringBuffer(toEncoded(url.toString(),
+ request.getSession().getId()));
+ }
+ }
}
}
return url.toString();
@@ -358,10 +363,10 @@
return false;
}
- Enumeration enum = aRequest.getAttributeNames();
+ Enumeration enumeration = aRequest.getAttributeNames();
Map map = new HashMap();
- while (enum.hasMoreElements()) {
- String name = (String) enum.nextElement();
+ while (enumeration.hasMoreElements()) {
+ String name = (String) enumeration.nextElement();
map.put(name, aRequest.getAttribute(name));
}
aRequest.getSession().setAttribute(STOWED_REQUEST_ATTRIBS, map);
@@ -430,13 +435,18 @@
String desiredPort = Boolean.valueOf(isSecure).booleanValue() ?
httpsPort : httpPort;
String usingPort = String.valueOf(request.getServerPort());
- // Must also check ports, because of IE multiple redirect problem
- if (!desiredScheme.equals(usingScheme) ||
!desiredPort.equals(usingPort)) {
+ // Must also check ports, because of IE multiple redirect problem
+ if (!desiredScheme.equals(usingScheme) ||
!desiredPort.equals(usingPort)) {
- urlString = buildNewUrlString(request,
- desiredScheme,
- desiredPort,
- securePlugin.getSslExtAddSession());
+ boolean addSession = securePlugin.getSslExtAddSession();
+ if (desiredScheme.equals(HTTP) &&
securePlugin.getSslExtAddSessionHttp()) {
+ addSession = true;
+ }
+
+ urlString = buildNewUrlString(request,
+ desiredScheme,
+ desiredPort,
+ addSession);
// Temporarily store attributes in session
if (!SecureRequestUtils.stowRequestAttributes(request)) {
@@ -534,9 +544,9 @@
*/
private static Map getParameterMap(HttpServletRequest request) {
Map map = new HashMap();
- Enumeration enum = request.getParameterNames();
- while (enum.hasMoreElements()) {
- String name = (String) enum.nextElement();
+ Enumeration enumeration = request.getParameterNames();
+ while (enumeration.hasMoreElements()) {
+ String name = (String) enumeration.nextElement();
String[] values = request.getParameterValues(name);
map.put(name, values);
}
@@ -566,11 +576,28 @@
// If a redirect string was generated, perform the redirect and return
true
if (redirectString != null) {
- try {
- // Redirect the page to the desired URL
-
aResponse.sendRedirect(aResponse.encodeRedirectURL(redirectString));
- return true;
- } catch (Exception ioe) {
+ try {
+
+ SecurePlugInInterface securePlugin = (SecurePlugInInterface)
aContext.getAttribute(SecurePlugInInterface.SECURE_PLUGIN);
+ String redirectPage = securePlugin.getHttpRedirectPage();
+
+ if (securePlugin.getSslExtEnable() &&
+
!SecureActionConfig.ANY.equalsIgnoreCase(aMapping.getSecure()) &&
+ aRequest.getScheme().equals(HTTPS) &&
+ redirectPage != null &&
+ redirectPage.length() > 0) {
+
+
aRequest.setAttribute(SecurePlugInInterface.SSLEXT_REDIRECT_URL,
redirectString);
+
aRequest.getRequestDispatcher(redirectPage).forward(aRequest, aResponse);
+ return true;
+
+ }
+
+ // Redirect the page to the desired URL
+
aResponse.sendRedirect(aResponse.encodeRedirectURL(redirectString));
+ return true;
+
+ } catch (Exception ioe) {
sLog.error("IOException in redirect" + ioe.getMessage());
}
}
diff -ruN current\org\apache\struts\util\SecureSessionFilter.java
new\org\apache\struts\util\SecureSessionFilter.java
--- current\org\apache\struts\util\SecureSessionFilter.java Wed Dec 31
16:00:00 1969
+++ new\org\apache\struts\util\SecureSessionFilter.java Thu Oct 27 17:01:33 2005
@@ -0,0 +1,54 @@
+package org.apache.struts.util;
+
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+
+/**
+ * This filter is used for when the user has a session created in SSL and
wants to move
+ * to a non-ssl section of the site. The developer must place the jsessionid
in the URL
+ * for this to work.
+ *
+ * @author Darian Shimy
+ * @version $Id: SecureSessionFilter.java,v 1.1.1.1 2005/10/28 00:01:33 dshimy
Exp $
+ */
+public class SecureSessionFilter implements Filter {
+
+ private Log log = LogFactory.getLog(SecureSessionFilter.class);
+ private static final String JSESSIONID = "JSESSIONID";
+
+ public void init(FilterConfig filterConfig) throws ServletException {
+ }
+
+ public void doFilter(ServletRequest servletRequest,
+ ServletResponse servletResponse,
+ FilterChain chain)
+ throws IOException, ServletException {
+
+ HttpServletRequest request = (HttpServletRequest) servletRequest;
+ HttpServletResponse response = (HttpServletResponse) servletResponse;
+ HttpSession session = request.getSession();
+
+ if (!session.isNew() && !request.isRequestedSessionIdFromCookie()) {
+
+ log.debug("User does NOT have a session cookie, adding one");
+ Cookie newSessionCookie = new Cookie(JSESSIONID, session.getId());
+ newSessionCookie.setPath(request.getContextPath());
+ response.addCookie(newSessionCookie);
+
+ }
+
+ chain.doFilter(servletRequest, servletResponse);
+ }
+
+ public void destroy() {
+ }
+}
+
________________________________________
From: Darian Shimy
Sent: Friday, November 04, 2005 2:18 PM
To: dev@struts.apache.org
Subject: FIX: Session lost from HTTPS to HTTP and Redirect warning from IE
I sent this email to the ssl-ext list last week and never got a response. A
moderator needed to approve it due to its size and since there isn't too much
activity on that list anymore, it may be lost in a spam filter somewhere.
Nonetheless, in case anyone on this list is interested, here is the email....
________________________________________
From: Darian Shimy
Sent: Friday, October 28, 2005 11:27 AM
To: '[EMAIL PROTECTED]'
Subject: FIX: Session lost from HTTPS to HTTP and Redirect warning from IE
I had some problems when a session was created in HTTPS and user went to
HTTP. There are security issues with this, however, if you want this
functionality to work, I attached a patch (I appologize for the CVS Keyword
expansion) for the changes which include:
1. Changed variable names from enum to enumeration in SecureRequestUtils for
JDK 1.5 compatibility.
2. Added a class SecureSessionFilter that will add a session cookie with the
session ID when switching from HTTPS to HTTP if the user's session was not used
from a cookie. This resolves the problem when a session is created in HTTPS
and the user tries to navigate to HTTP the session is lost. The work around
before this filter was to put the session ID on all URLS which has other
consequences. To use this feature the addSessionHttp property must be true.
3. Added the ability to switch from HTTPS to HTTP with a client-side redirect
instead of a 302 redirect. This solved the problem with Internet Explorer
complaining the data submitted using a secure page was sent to an insecure
page.
For the above changes I added two configuration parameters to the
SecurePlugInInterface:
1. addSessionHttp - This boolean value must be set to true for the system to
add the session ID to the URL when going from HTTPS to HTTP. The default is
true.
2. httpRedirectPage - This is a JSP page in the webapp that the system will
redirect the user to when we need a redirect from HTTPS to HTTP and we don't
want the nag screen.
Sample struts-config.xml fragment:
<plug-in className="org.apache.struts.action.SecurePlugIn">
<set-property property="httpPort" value="80"/>
<set-property property="httpsPort" value="443"/>
<set-property property="enable" value="true"/>
<set-property property="addSession" value="false"/>
<set-property property="addSessionHttp" value="true"/>
<set-property property="httpRedirectPage" value="/redirect.jsp"/>
</plug-in>
Sample web.xml fragment for filter:
<filter>
<filter-name>SessionProtocolFilter</filter-name>
<filter-class>org.apache.struts.util.SecureSessionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionProtocolFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Sample HTTP Redirect Page:
<%@ page import="org.apache.struts.action.SecurePlugInInterface"%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<script language="JavaScript" type="text/javascript">
<!--window.location.replace("<%=request.getAttribute(SecurePlugInInterface.SSLEXT_REDIRECT_URL)
%>");
// -->
</script>
<title>Please wait...</title>
<meta http-equiv="Refresh" content="0;
url=<%=request.getAttribute(SecurePlugInInterface.SSLEXT_REDIRECT_URL) %>">
</head>
<body>
If you are seeing this page, your browser settings prevent you
from automatically redirecting to a new URL.
<p>
Please <a
href="<%=request.getAttribute(SecurePlugInInterface.SSLEXT_REDIRECT_URL)
%>">click here</a> to continue.
</body>
</html>
Let me know if you have any questions.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
