Adam stole my thunder... :) If you're carrying session data between secure and
non-secure sections, you will lose one in transit for precisely why Adam said.
If you're in a secure area make sure it's always secure. Are you performing any
SSL offloading at Apache? I have found that offloading SSL at the Apache HTTPD
front end to be significantly easier to manage than in Tomcat/WebLogic/[pick
container]
Tim
From: Adam Stokar [mailto:ajsto...@gmail.com]
Sent: Monday, September 17, 2012 10:24 AM
To: Stripes Users List
Subject: Re: [Stripes-users] SSL newbie
Hey Brian,
You should force all your requests to https to ensure that no one can change
the url from a secure page to a non-secure page. Then you can add a Stripes
Interceptor that checks if the request requires https or not and allow the ones
that don't to pass through. Keep in mind that "switching" between http and
https isn't really possible if you intend to use a session variable on the
server side. Browsers create a new session id when you switch between the two,
even if the rest of the url is the same.
- Adam
On Mon, Sep 17, 2012 at 10:16 AM, Brian McSweeney
<brian.mcswee...@gmail.com<mailto:brian.mcswee...@gmail.com>> wrote:
Hi guys,
I have a stripes webapp that I would like to add SSL support for in a few pages
only.
I've come from a struts background where we had ssl-ext as an extension which
simplified this. I've also searched the archives and come across
http://www.stripesframework.org/jira/browse/STS-239 and some questioning
threads about this topic none of which have been comprehensively resolved to me.
Can someone point me at a solution/approach to securing a few pages in stripes
and switching between http and https?
cheers,
Brian
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net<mailto:Stripes-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/stripes-users
Barclaycard
www.barclaycardus.com
This email and any files transmitted with it may contain confidential and/or
proprietary information. It is intended solely for the use of the individual or
entity who is the intended recipient. Unauthorized use of this information is
prohibited. If you have received this in error, please contact the sender by
replying to this message and delete this material from any system it may be on.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
