RE: [slight OT] SSLExt default behavior
Joe, How about changing the "any" default in org.apache.struts.config.SecureActionConfig to "false" in a WEB-INF/classes overriding class? The original code for that class from CVS is pretty bare bones: http://cvs.sourceforge.net/viewcvs.py/sslext/sslext120/src/org/apache/struts /config/SecureActionConfig.java?rev=1.1.1.1&view=auto /** * Extension of ActionMapping for use with sslext * @author Steve Ditlinger */ package org.apache.struts.config; import org.apache.struts.action.ActionMapping; public class SecureActionConfig extends ActionMapping { static public final String ANY = "any"; protected String secure = ANY; public void setSecure(String val) { this.secure = val; } public String getSecure() { return this.secure; } } You could add a: static public final String FALSE = "false"; and change the default secure variable to it: protected String secure = FALSE; :) Two lines in one little overriding class put into the WEB-INF/classes tree might do it. Unless I'm off again, which is possible at 2 in the morning. -David -Original Message- From: Joe Hertz [mailto:[EMAIL PROTECTED] Sent: Thursday, October 21, 2004 1:22 AM To: 'Struts Users Mailing List' Subject: RE: [slight OT] SSLExt default behavior Mostly non-existent SSLExt documentation aside, here's what I'm seeing happen Setting enable=false doesn't determine a default secure setting for actions -- setting it to false turns everything off. As in every ActionMapping behaves as if secure=false, *including* the ones where secure=true (it's that last half sentence that's the killer). The code change impacts the plugin settings too. Still, the relevant plugin code doesn't look too tough to follow. I'm just surprised I'm the first one grumbling about the behavior (shouldn't be I suppose...I've made a few posts like that -- If I aint careful, I'll win the curmudgeon merit badge). Figured/Hoped there was an easy yet undocumented way to configure that or that I was going about it the wrong way. > -Original Message- > From: David G. Friedman [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 21, 2004 12:38 AM > To: Struts Users Mailing List > Subject: RE: [slight OT] SSLExt default behavior > > > Joe, > > This is SSLExt in Struts, right? So why can't you do this: > > > > > > > > > Or something like that? I took that line from the SSLExt > V1.2.0 CVS example > web/WEB-INF/struts-config.xml file and simply updated the httpPort, > httpsPort and enable properties to suggest what you're asking > about. Their > plugin also seems to exist for their version 1.1 SSLExt > webapp example. To > see this in CVS, click on the URL: > http://cvs.sourceforge.net/viewcvs.py/sslext/sslext120/web/WEB > -INF/struts-co > nfig.xml?rev=1.2&view=auto > > If that doesn't work, you could probably copy their > org.apache.struts.action.SecurePlugInInterface, change the line: > static final String DEFAULT_ENABLE = "true"; > > TO: > static final String DEFAULT_ENABLE = "false"; > > and copy your compiled class to: > > /WEB-INF/classes/org/apache/struts/action/SecurePlugInInterface.class > > so it overrides the "true","any","false" setting as you desire. > > Unless, of course, I'm pointing you to the wrong default > variable's name. :) > > I hope these two simple ideas for a solution help. Please > let me know. > > Regards, > David > > -Original Message- > From: Joe Hertz [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 20, 2004 5:34 PM > To: 'Struts Users Mailing List' > Subject: [slight OT] SSLExt default behavior > > > Anyone aware of if there is a way to specify the default > behavior for the > secure set-property for Actions when using SSLExt? > > I'm taking an existing struts app and adding https pages to > it with SSLExt. > Simple enough. > > But it seems as if an action, should "secure" be unspecified, > will default > to the same behavior as if it was set to "any", i.e. the > action will work > over http or https. > > So what happens is once the user goes to an https required page > (secure=true), all of the other actions he hits are quite > happy to keep him > in https. The application wont break/care, but this would > mean the hosting > costs go up unnecessarily (https counts more against the bandwidth > limitation). > > So does anyone know if there a way to get SSLExt to treat an > unspecified > secure set-property as == "false", rather than "any"? I can > fix this the > hard way,
RE: [slight OT] SSLExt default behavior
Mostly non-existent SSLExt documentation aside, here's what I'm seeing happen Setting enable=false doesn't determine a default secure setting for actions -- setting it to false turns everything off. As in every ActionMapping behaves as if secure=false, *including* the ones where secure=true (it's that last half sentence that's the killer). The code change impacts the plugin settings too. Still, the relevant plugin code doesn't look too tough to follow. I'm just surprised I'm the first one grumbling about the behavior (shouldn't be I suppose...I've made a few posts like that -- If I aint careful, I'll win the curmudgeon merit badge). Figured/Hoped there was an easy yet undocumented way to configure that or that I was going about it the wrong way. > -Original Message- > From: David G. Friedman [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 21, 2004 12:38 AM > To: Struts Users Mailing List > Subject: RE: [slight OT] SSLExt default behavior > > > Joe, > > This is SSLExt in Struts, right? So why can't you do this: > > > > > > > > > Or something like that? I took that line from the SSLExt > V1.2.0 CVS example > web/WEB-INF/struts-config.xml file and simply updated the httpPort, > httpsPort and enable properties to suggest what you're asking > about. Their > plugin also seems to exist for their version 1.1 SSLExt > webapp example. To > see this in CVS, click on the URL: > http://cvs.sourceforge.net/viewcvs.py/sslext/sslext120/web/WEB > -INF/struts-co > nfig.xml?rev=1.2&view=auto > > If that doesn't work, you could probably copy their > org.apache.struts.action.SecurePlugInInterface, change the line: > static final String DEFAULT_ENABLE = "true"; > > TO: > static final String DEFAULT_ENABLE = "false"; > > and copy your compiled class to: > > /WEB-INF/classes/org/apache/struts/action/SecurePlugInInterface.class > > so it overrides the "true","any","false" setting as you desire. > > Unless, of course, I'm pointing you to the wrong default > variable's name. :) > > I hope these two simple ideas for a solution help. Please > let me know. > > Regards, > David > > -Original Message- > From: Joe Hertz [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 20, 2004 5:34 PM > To: 'Struts Users Mailing List' > Subject: [slight OT] SSLExt default behavior > > > Anyone aware of if there is a way to specify the default > behavior for the > secure set-property for Actions when using SSLExt? > > I'm taking an existing struts app and adding https pages to > it with SSLExt. > Simple enough. > > But it seems as if an action, should "secure" be unspecified, > will default > to the same behavior as if it was set to "any", i.e. the > action will work > over http or https. > > So what happens is once the user goes to an https required page > (secure=true), all of the other actions he hits are quite > happy to keep him > in https. The application wont break/care, but this would > mean the hosting > costs go up unnecessarily (https counts more against the bandwidth > limitation). > > So does anyone know if there a way to get SSLExt to treat an > unspecified > secure set-property as == "false", rather than "any"? I can > fix this the > hard way, but I'd like to believe I shouldn't have to... > > TIA > > -Joe > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [slight OT] SSLExt default behavior
Joe, This is SSLExt in Struts, right? So why can't you do this: Or something like that? I took that line from the SSLExt V1.2.0 CVS example web/WEB-INF/struts-config.xml file and simply updated the httpPort, httpsPort and enable properties to suggest what you're asking about. Their plugin also seems to exist for their version 1.1 SSLExt webapp example. To see this in CVS, click on the URL: http://cvs.sourceforge.net/viewcvs.py/sslext/sslext120/web/WEB-INF/struts-co nfig.xml?rev=1.2&view=auto If that doesn't work, you could probably copy their org.apache.struts.action.SecurePlugInInterface, change the line: static final String DEFAULT_ENABLE = "true"; TO: static final String DEFAULT_ENABLE = "false"; and copy your compiled class to: /WEB-INF/classes/org/apache/struts/action/SecurePlugInInterface.class so it overrides the "true","any","false" setting as you desire. Unless, of course, I'm pointing you to the wrong default variable's name. :) I hope these two simple ideas for a solution help. Please let me know. Regards, David -Original Message- From: Joe Hertz [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 5:34 PM To: 'Struts Users Mailing List' Subject: [slight OT] SSLExt default behavior Anyone aware of if there is a way to specify the default behavior for the secure set-property for Actions when using SSLExt? I'm taking an existing struts app and adding https pages to it with SSLExt. Simple enough. But it seems as if an action, should "secure" be unspecified, will default to the same behavior as if it was set to "any", i.e. the action will work over http or https. So what happens is once the user goes to an https required page (secure=true), all of the other actions he hits are quite happy to keep him in https. The application wont break/care, but this would mean the hosting costs go up unnecessarily (https counts more against the bandwidth limitation). So does anyone know if there a way to get SSLExt to treat an unspecified secure set-property as == "false", rather than "any"? I can fix this the hard way, but I'd like to believe I shouldn't have to... TIA -Joe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]