Indeed! ;-) I think it would help a lot. A workaround solution I tried before your suggestion was making the forwading secure (the page, the action, whatever it takes ;) ), that way I eliminated the pop-up. But I think was a very unwise solution, especially when my aim is performance, and I don't need those pages to be secure for now.
If the WHATEVER value helps to eliminate the pop-up I totally agree. Most of the users get confused and scared with this security messages, specially when they are people of financial market like mine.. ;-) I have some other comments to you about the extension. Should I write them here, or should I write them to you directly? Thanks! Jorge Ivan Suarez Factoring Market. ----- Mensaje original ----- De: "Ditlinger, Steve" <[EMAIL PROTECTED]> Fecha: Lunes, Marzo 18, 2002 4:04 pm Asunto: RE: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's ext. ) > Good! > > I don't think there is any way of eliminating the pop-up message > (except by > the browser user disabling it) since you are in fact redirecting > from a > secure to a non-secure page. > > We have been thinking of changing the extension so that the "secure" > property has 3 possible values: SECURE (for https), NON-SECURE > (for http) > and WHATEVER (to accept either protocol). Using the WHATEVER > value would > help cut down on those message dialogs. Do you think this would be > worthwhile? > > Steve > > -----Original Message----- > From: jorisumu [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 11:57 AM > To: Ditlinger Steve > Subject: Re: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's > ext.) > > > Well it worked! :-D > > After adding the redirect="true" attribute to the forward > definition > the login are not present anymore in the transmition. But I still > get > the pop-up message though. I guess I can live with this for now. > > Thanks a lot! > > Jorge > > ----- Mensaje original ----- > De: "Ditlinger, Steve" <[EMAIL PROTECTED]> > Fecha: Lunes, Marzo 18, 2002 1:18 pm > Asunto: RE: Big Problem Dealing with SSL!! (Using S. Ditlinger's ext.) > > > If you change the forward definition to this: > > > > <global-forwards>..... > > <forward name="account.fwd" path= > > ...</global-forwards> > > > > you should eliminate the presence of the logon parameters in the > query> string. > > > > The extension we wrote redirects a page using the correct > protocol (if > > necessary). One of the consequences of a redirect is the loss > of > > postedparameters. For this reason, in our extension, we put > > posted parameters > > into the query string. This can be annoying in many cases and > > just bad in > > other cases such as for login parameters (like yours). > > > > In your case, after you have executed logonAction, you shouldn't > > need the > > login parameters any more, but when you forward to the non- > secured > > action,our extension will try to save them in the query string. > > By specifying > > "redirect=true" in the forward, you will cause Struts to use > > redirect rather > > than forward when it requests "account.do", which will clean out > > the logon > > attributes before our extension ever has a chance to redirect > > using the > > non-secure protocol. > > > > hth, > > Steve > > > > > > -----Original Message----- > > From: jorisumu [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, March 14, 2002 4:49 PM > > To: [EMAIL PROTECTED] > > Subject: Big Problem Dealing with SSL!! (Using S. Ditlinger's ext.) > > > > > > Hi all! > > > > I discover a few days ago the famous article at JavaWorld by > Steve > > Ditlinger (http://www.javaworld.com/javaworld/jw-02-2002/jw-0215- > > ssl.html). > > > > Then after looking at the archives of this mail-list I > discovered > > HE > > actually made an implementation of the ideas expressed on the > > article > > as a struts extension (http://struts.ditlinger.com). > > > > Well, I'm in the middle of the development of a web-app using > > Struts. > > So I decided to try it! Thanks Steve, is really cool!!! It gave > me > > a > > little trouble on the beggining, but were about just config > > issues. (I > > trully encourage you to document the extension a little more ;-) ). > > > > Now I have a little problem: I have this logon action defined in > > my > > struts-config.xml: > > > > <action path="/logon" > > type="com.factoringmarket.web.LogonAction" > > name="logonForm" > > scope="request" > > input="/logon.jsp"> > > <set-property property="secure" value="true"/> > > > > > > That call it from my jsp this way: > > > > <sslext:form action="/logon" focus="membername"> > > ....... > > </sslext:form> > > > > My problem comes when in the LogonAction's perform() I return a > > forward > > to a non-secure page that is actually defined in the struts- > > config.xml > > file as a global forward like this: > > <global-forwards>..... > > <forward name="account.fwd" path= > > ...</global-forwards> > > > > Then I got the pop-up message in the browser: "You are about to > be > > redirected to a connection that is not secure. The information > you > > are > > sending to the current site might be retransmitted to a > nonsecure > > site. > > Do you wish to continue?" So I got curious and checked the > > transmition > > with a protocol analizer and I can clearly see in the > > transmition: "GE > > So I'm confused... Why's happening this? what am I doing wrog? > How > > can > > avoid this retransmition? :-O > > > > Thanks a lot guys! > > > > > > > ___________________________________________________________________ > > Consigue tu e-mail gratuito TERRA.COM.CO > > Haz click en http://www1.terra.com.co/correo > > > > > > > ___________________________________________________________________ > Consigue tu e-mail gratuito TERRA.COM.CO > Haz click en http://www1.terra.com.co/correo > > > -- > To unsubscribe, e-mail: <mailto:struts-user- > [EMAIL PROTECTED]>For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > ___________________________________________________________________ Consigue tu e-mail gratuito TERRA.COM.CO Haz click en http://www1.terra.com.co/correo -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
