Re: redirecting a non-secure request to one that uses https
Google is your friend, http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpServletResponse.html#sendRedirect(java.lang.String) You can get the URL with a method in the HttpServletRequest class, getRequestURL(), substitute https for http in there and redirect to that page with response.sendRedirect(..). That will exclude any parameters, however but, if needed, implementing that is left as an excercise... In HTTP pages don't send data to pages, but rather browsers get responses from servers by sending requests. The problem with this kind of interceptor is, that if an interceptor catches a request that is not secure, then the request (and all its parameters, more importantly) has already travelled across the internet from the browser to the server unprotected. If that request is redirected to an SSL-protected page, it will only make the browser send the request again, protected this time, but as it already has travelled across the lines with no protection, this approach is not actually protecting the data in the request. Such a filter (or interceptor) should only be used for testing that the page flow is working with SSL all the time, not for any actual production use (or at least I can't imagine a situation where it would fit). On 7/10/07, Session A Mwamufiya [EMAIL PROTECTED] wrote: Hi Tony, Thanks for the reply. I use an interceptor to check the HttpServletRequest's isSecure() method in order to determine it if is secure or not. I've never used the HttpServletResponse object and I'm not sure how to redirect to the same address but with https. The redirecting won't be to only one page, but will depend on the request. All of the pages in my web app are controlled by actions, so there's no data being sent from one page to another without the original page being intercepted to check for ssl usage. Please let me know how to use HttpServletResponse for redirecting. Thanks, Session It may be an ugly hack, but it has worked for some of my actions. If you return null instead of the action name to be invocated, you can use a response object to send information directly to the user. The HttpServletRequest object has method isSecure() which you can use to determine whether the request is secure or not. If it's not use the HttpServletResponse object to redirect the user to the secure location. The other approach is to make a plain simple filter to do this, since you probably won't need any of the Struts features for this kind of task. But this shouldn't be used for anything but simple front page redirects. If the user sends a non-SSL request then he has already sent all the information unprotected across the internet, and just redirecting him to an SSL-protected page doesn't really help in securing the application. On 7/10/07, Session A Mwamufiya [EMAIL PROTECTED] wrote: Hi All, I've installed SSL on my JBoss container (it works) and have created an interceptor that checks that the requests to my web app are secure (using https). I would like to redirect all non-secure requests to use ssl and have https in the address. How can this be done? I'm not sure how to tweak the request object or the action invocation to make this happen. Thanks, Session - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: redirecting a non-secure request to one that uses https
It may be an ugly hack, but it has worked for some of my actions. If you return null instead of the action name to be invocated, you can use a response object to send information directly to the user. The HttpServletRequest object has method isSecure() which you can use to determine whether the request is secure or not. If it's not use the HttpServletResponse object to redirect the user to the secure location. The other approach is to make a plain simple filter to do this, since you probably won't need any of the Struts features for this kind of task. But this shouldn't be used for anything but simple front page redirects. If the user sends a non-SSL request then he has already sent all the information unprotected across the internet, and just redirecting him to an SSL-protected page doesn't really help in securing the application. On 7/10/07, Session A Mwamufiya [EMAIL PROTECTED] wrote: Hi All, I've installed SSL on my JBoss container (it works) and have created an interceptor that checks that the requests to my web app are secure (using https). I would like to redirect all non-secure requests to use ssl and have https in the address. How can this be done? I'm not sure how to tweak the request object or the action invocation to make this happen. Thanks, Session - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: redirecting a non-secure request to one that uses https
Hi Tony, Thanks for the reply. I use an interceptor to check the HttpServletRequest's isSecure() method in order to determine it if is secure or not. I've never used the HttpServletResponse object and I'm not sure how to redirect to the same address but with https. The redirecting won't be to only one page, but will depend on the request. All of the pages in my web app are controlled by actions, so there's no data being sent from one page to another without the original page being intercepted to check for ssl usage. Please let me know how to use HttpServletResponse for redirecting. Thanks, Session It may be an ugly hack, but it has worked for some of my actions. If you return null instead of the action name to be invocated, you can use a response object to send information directly to the user. The HttpServletRequest object has method isSecure() which you can use to determine whether the request is secure or not. If it's not use the HttpServletResponse object to redirect the user to the secure location. The other approach is to make a plain simple filter to do this, since you probably won't need any of the Struts features for this kind of task. But this shouldn't be used for anything but simple front page redirects. If the user sends a non-SSL request then he has already sent all the information unprotected across the internet, and just redirecting him to an SSL-protected page doesn't really help in securing the application. On 7/10/07, Session A Mwamufiya [EMAIL PROTECTED] wrote: Hi All, I've installed SSL on my JBoss container (it works) and have created an interceptor that checks that the requests to my web app are secure (using https). I would like to redirect all non-secure requests to use ssl and have https in the address. How can this be done? I'm not sure how to tweak the request object or the action invocation to make this happen. Thanks, Session - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
