Re: still fighting HTTP HTTPS problem
Mike. Dude. That IS the way to do it. 1) check to see if you ACTUALLY GET the 2 sessions (if you can get them, do a session.toString() to see that they are not the same session indeed) 2) you should be sending the serialized data from the unsecure session into the secured session: if you are using an non visual jsp to process it would go something like this a) get the query string and hold it b) get the data you want from the non-secure session, includeing the session id and encode it c) make an name value pair for the session stuff and dont forget to encode the value (unsecure_session_contents=thedatayouareholdingfromthesession) d) add the new name value pair to the query string you are holding e) forward the whole shebang to the secure url you are going to. f) on the secure side get the request and put the request.getParameter(unsecure_session_contents) into the new Secure session. g) do the same for the return trip, but remember when you return you have to try to look up the session with the id you saved. If its gone its because you timed out. - Original Message - From: Michael Wilimsky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 11, 2001 6:20 AM Subject: still fighting HTTP HTTPS problem hello everyone... i still couldn´t find a solution on how to switch from let´s say http://localhost:myport/myapp/something.jsp to https://localhost:mysecureport/myapp/somethingelsethatneedstobesecure_oreven thesamepage.jsp while retaining resp. cloning the content of my sessioncontext... i am using the urlrewriting-method to manage my sessions as far as my experience tells me i get two different sessionIDs for http://localhost:myport/myapp/something.jsp and the corresponding https://localhost:mysecureport/myapp/something.jsp how can i copy the sessioncontext to the secure side and vice versa? michy
RE: still fighting HTTP HTTPS problem
well i am using a tomcat-standalone version... i know, that some webservers like apache would do that task for me... well jonathan... thanks... i´ll try it and get back to You if i have further questions... alright?! michy -Original Message- From: Rainer Alföldi [mailto:[EMAIL PROTECTED]] Sent: Freitag, 11. Mai 2001 17:28 To: [EMAIL PROTECTED]; Jonathan Asbell Subject: AW: still fighting HTTP HTTPS problem Hi Michael, hi Jonathan, does it have to be that complicated? We just put an apache in front of tomcat. period. tomcat doesn´t know what ports the requests are coming from. all ssl stuff is handled by apache. no problems. switching between https and http is totally transparent for tomcat = struts = for our application. Greetings Rainer -Ursprüngliche Nachricht- Von: Jonathan Asbell [mailto:[EMAIL PROTECTED]] Gesendet: Freitag, 11. Mai 2001 13:36 An: [EMAIL PROTECTED] Betreff: Re: still fighting HTTP HTTPS problem Mike. Dude. That IS the way to do it. 1) check to see if you ACTUALLY GET the 2 sessions (if you can get them, do a session.toString() to see that they are not the same session indeed) 2) you should be sending the serialized data from the unsecure session into the secured session: if you are using an non visual jsp to process it would go something like this a) get the query string and hold it b) get the data you want from the non-secure session, includeing the session id and encode it c) make an name value pair for the session stuff and dont forget to encode the value (unsecure_session_contents=thedatayouareholdingfromthesession) d) add the new name value pair to the query string you are holding e) forward the whole shebang to the secure url you are going to. f) on the secure side get the request and put the request.getParameter(unsecure_session_contents) into the new Secure session. g) do the same for the return trip, but remember when you return you have to try to look up the session with the id you saved. If its gone its because you timed out. - Original Message - From: Michael Wilimsky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 11, 2001 6:20 AM Subject: still fighting HTTP HTTPS problem hello everyone... i still couldn´t find a solution on how to switch from let´s say http://localhost:myport/myapp/something.jsp to https://localhost:mysecureport/myapp/somethingelsethatneedstobesecure_oreven thesamepage.jsp while retaining resp. cloning the content of my sessioncontext... i am using the urlrewriting-method to manage my sessions as far as my experience tells me i get two different sessionIDs for http://localhost:myport/myapp/something.jsp and the corresponding https://localhost:mysecureport/myapp/something.jsp how can i copy the sessioncontext to the secure side and vice versa? michy
Re: still fighting HTTP HTTPS problem
Sorry Mike. I didnt intend to put you off. I was just trying to re-enforce that you were doing the correct thing. Cheers - Original Message - From: Michael Wilimsky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 11, 2001 8:15 AM Subject: RE: still fighting HTTP HTTPS problem well i am using a tomcat-standalone version... i know, that some webservers like apache would do that task for me... well jonathan... thanks... i´ll try it and get back to You if i have further questions... alright?! michy -Original Message- From: Rainer Alföldi [mailto:[EMAIL PROTECTED]] Sent: Freitag, 11. Mai 2001 17:28 To: [EMAIL PROTECTED]; Jonathan Asbell Subject: AW: still fighting HTTP HTTPS problem Hi Michael, hi Jonathan, does it have to be that complicated? We just put an apache in front of tomcat. period. tomcat doesn´t know what ports the requests are coming from. all ssl stuff is handled by apache. no problems. switching between https and http is totally transparent for tomcat = struts = for our application. Greetings Rainer -Ursprüngliche Nachricht- Von: Jonathan Asbell [mailto:[EMAIL PROTECTED]] Gesendet: Freitag, 11. Mai 2001 13:36 An: [EMAIL PROTECTED] Betreff: Re: still fighting HTTP HTTPS problem Mike. Dude. That IS the way to do it. 1) check to see if you ACTUALLY GET the 2 sessions (if you can get them, do a session.toString() to see that they are not the same session indeed) 2) you should be sending the serialized data from the unsecure session into the secured session: if you are using an non visual jsp to process it would go something like this a) get the query string and hold it b) get the data you want from the non-secure session, includeing the session id and encode it c) make an name value pair for the session stuff and dont forget to encode the value (unsecure_session_contents=thedatayouareholdingfromthesession) d) add the new name value pair to the query string you are holding e) forward the whole shebang to the secure url you are going to. f) on the secure side get the request and put the request.getParameter(unsecure_session_contents) into the new Secure session. g) do the same for the return trip, but remember when you return you have to try to look up the session with the id you saved. If its gone its because you timed out. - Original Message - From: Michael Wilimsky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 11, 2001 6:20 AM Subject: still fighting HTTP HTTPS problem hello everyone... i still couldn´t find a solution on how to switch from let´s say http://localhost:myport/myapp/something.jsp to https://localhost:mysecureport/myapp/somethingelsethatneedstobesecure_oreven thesamepage.jsp while retaining resp. cloning the content of my sessioncontext... i am using the urlrewriting-method to manage my sessions as far as my experience tells me i get two different sessionIDs for http://localhost:myport/myapp/something.jsp and the corresponding https://localhost:mysecureport/myapp/something.jsp how can i copy the sessioncontext to the secure side and vice versa? michy
Re: still fighting HTTP HTTPS problem
I'm using a standalone container, and I find that everything works transparently (only one session) if I resort to hard coding the scheme. Right now, I'm doing this in the Struts-config. forward name=standard path=http://data.wxxi.org/wxxi-gavel/register/logon.jsp/ forward name=secure path=https://data.wxxi.org/wxxi-gavel/register/logon.jsp/ which are called with code like this in the action String url = null; if (secureMode) { url = mapping.findForward(secure).getPath(); ActionForward actionForward = new ActionForward(url,true); return (actionForward); } else return (mapping.findForward(standard)); where I'm tracking secureMode as a session attribute. If they login or register in secure mode, I end the process with a [[ BIG LINK ]] that routes them back to the http scheme. Messy, but it gets me through the day. I haven't had time to think about it, but it seems to me that we should be able to work this into the custom tags. Struts is very good about automagically converting the links when you switch schemes, so it seems to me we should be able to force the tags to one scheme or the other, when appropriate. Michael Wilimsky wrote: hello everyone... i still couldn´t find a solution on how to switch from let´s say http://localhost:myport/myapp/something.jsp to https://localhost:mysecureport/myapp/somethingelsethatneedstobesecure_oreven thesamepage.jsp while retaining resp. cloning the content of my sessioncontext... i am using the urlrewriting-method to manage my sessions as far as my experience tells me i get two different sessionIDs for http://localhost:myport/myapp/something.jsp and the corresponding https://localhost:mysecureport/myapp/something.jsp how can i copy the sessioncontext to the secure side and vice versa? michy
Re: still fighting HTTP HTTPS problem
Ted, You can collapse your code down to this: return mapping.findForward(secureMode ? secure : standard); by adding redirect=true to your secure forward definition in struts-config. -- Martin Cooper At 01:25 PM 5/11/01, Ted Husted wrote: I'm using a standalone container, and I find that everything works transparently (only one session) if I resort to hard coding the scheme. Right now, I'm doing this in the Struts-config. forward name=standard path=http://data.wxxi.org/wxxi-gavel/register/logon.jsp/ forward name=secure path=https://data.wxxi.org/wxxi-gavel/register/logon.jsp/ which are called with code like this in the action String url = null; if (secureMode) { url = mapping.findForward(secure).getPath(); ActionForward actionForward = new ActionForward(url,true); return (actionForward); } else return (mapping.findForward(standard)); where I'm tracking secureMode as a session attribute. If they login or register in secure mode, I end the process with a [[ BIG LINK ]] that routes them back to the http scheme. Messy, but it gets me through the day. I haven't had time to think about it, but it seems to me that we should be able to work this into the custom tags. Struts is very good about automagically converting the links when you switch schemes, so it seems to me we should be able to force the tags to one scheme or the other, when appropriate. Michael Wilimsky wrote: hello everyone... i still couldn´t find a solution on how to switch from let´s say http://localhost:myport/myapp/something.jsp to https://localhost:mysecureport/myapp/somethingelsethatneedstobesecure_oreven thesamepage.jsp while retaining resp. cloning the content of my sessioncontext... i am using the urlrewriting-method to manage my sessions as far as my experience tells me i get two different sessionIDs for http://localhost:myport/myapp/something.jsp and the corresponding https://localhost:mysecureport/myapp/something.jsp how can i copy the sessioncontext to the secure side and vice versa? michy
Re: still fighting HTTP HTTPS problem
Are you saying that an http request can be forwarded to an https request? That doesn't make sense; if the browser doesn't have an https session setup, the server can do whatever it wants to resolve the request translation. You have to redirect to go from an http request to an https request. On Fri, 11 May 2001, Ted Husted wrote: I'm using a standalone container, and I find that everything works transparently (only one session) if I resort to hard coding the scheme. Right now, I'm doing this in the Struts-config. forward name=standard path=http://data.wxxi.org/wxxi-gavel/register/logon.jsp/ forward name=secure path=https://data.wxxi.org/wxxi-gavel/register/logon.jsp/ which are called with code like this in the action String url = null; if (secureMode) { url = mapping.findForward(secure).getPath(); ActionForward actionForward = new ActionForward(url,true); return (actionForward); } else return (mapping.findForward(standard)); where I'm tracking secureMode as a session attribute. If they login or register in secure mode, I end the process with a [[ BIG LINK ]] that routes them back to the http scheme. Messy, but it gets me through the day. I haven't had time to think about it, but it seems to me that we should be able to work this into the custom tags. Struts is very good about automagically converting the links when you switch schemes, so it seems to me we should be able to force the tags to one scheme or the other, when appropriate. Michael Wilimsky wrote: hello everyone... i still couldn´t find a solution on how to switch from let´s say http://localhost:myport/myapp/something.jsp to https://localhost:mysecureport/myapp/somethingelsethatneedstobesecure_oreven thesamepage.jsp while retaining resp. cloning the content of my sessioncontext... i am using the urlrewriting-method to manage my sessions as far as my experience tells me i get two different sessionIDs for http://localhost:myport/myapp/something.jsp and the corresponding https://localhost:mysecureport/myapp/something.jsp how can i copy the sessioncontext to the secure side and vice versa? michy cheers, -Ian -- Ian Kallen [EMAIL PROTECTED] | AIM: iankallen
Re: still fighting HTTP HTTPS problem
ActionForward actionForward = new ActionForward(url,true); The forward here is a bit of a misnomer. Using true forces a redirect. Ian Kallen wrote: Are you saying that an http request can be forwarded to an https request? That doesn't make sense; if the browser doesn't have an https session setup, the server can do whatever it wants to resolve the request translation. You have to redirect to go from an http request to an https request.