Hi Stephane, Here is how the system currently appears to work:
1. User is on shopping cart page, clicks "checkout", the form is submitted unencrypted to the ShoppingCartAction (which is fine since it isn't supposed to be secure). 2. ShoppingCartAction does its magic (saves cart changes, for instance) and then forwards to the checkout JSP. 3. checkout.jsp has an <sslext:pageScheme> tag in it that says it is supposed to be secure. The current request was not secure, so the tag creates a redirect to the secure port with all the request parameters appended to the URL as a query string. By the time the app figures out that you want to go to the checkout, it is too late so sslext can't really help too much. The request has already been sent, and it wasn't secure. Some design changes are needed to make the switch to the https port in what I consider to be an acceptable manner. Here are some possible solutions: 1. I don't like this one, but you could have JavaScript submit the shopping cart form to ShoppingCartAction securely by changing the action to an absolute URL that starts with https when the user clicks the "checkout" button. There is an <sslext:rewite> tag that would be useful for this purpose. 2. If you have a checkout button other places on the site (not a form submit, but rather a simple link to some kind of CheckoutAction), you could have the ShoppingCartAction redirect to the CheckoutAction when it is done processing the changes in the cart. I am not sure if sslext will work its magic on <forward>s, which in this case is actually going to be a redirect by setting redirect="true" on the <forward>. If sslext doesn't "fix" the redirect, I believe we can get Steve (sslext author) to make this change. It should work that way, IMO. Even if it doesn't switch on the redirect, it will switch with a second redirect so long as CheckoutAction is specified as a secure action. This would require the least amount of changes to the current actions if you already have a simple checkout link, and for that reason is my favorite solution if it would work for you. NOTE: This would be the app making the redirect to a different page, which is totally okay in my opinion -- my aversion to redirects is limited only to sslext doing the redirect itself to correct the port that the current request came in on. 3. If you don't have a simple checkout link, you could rework the app to make this work. This is a good idea anyway to encourage users to get to the checkout. The checkout action would need to access the contents of the cart from the session (since that information won't be coming in on the request), perhaps by accessing the shopping cart ActionForm from the session. Perhaps one of the property copying utilities from commons-beanutils would be useful for copying the cart contents to the checkout ActionForm. Once you get the simple checkout link working, just do a redirect to it as described in #3 above. 4. You could remove the <sslext:pageScheme> tag from checkout.jsp, which would avoid the redirect upon entering the page. The form on that page will submit the form securely since you have the sslext:form tag there and the action it submits to has been configured to be secure in struts-config.xml. However, this is one of those cases where users are likely to prefer that the form page itself is already secure, even though it isn't technically necessary. A note on the pageScheme tag: If all your pages are Struts actions and you use sslext:form and sslext:link to navigate to your secure actions, there is no need for the sslext:pageScheme tags. Configuring the actions in struts-config.xml is all that is needed (which I also prefer for its simplicity). The tag is convenient if you have directly-accessed JSPs and things that need to be secured and you "dip" the site one level deeper into the SSL bin, but otherwise they are of no value. -Max ----- Original Message ----- From: "Stephane Grenier" <[EMAIL PROTECTED]> To: "Max Cooper" <[EMAIL PROTECTED]>; "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Friday, September 12, 2003 5:40 PM Subject: Re: sslext can only get it to post > Hello Max. > > Thank you for the information. You cleared up some vagueness in my > understanding. However let me expand more into the details. The thing is I'm > not sure how to actually implement what you have just said, I actually think > that is what I'm currently doing which it is obviously not... > > If you don't mind I'm sending you my relevant chunks of code. I would like > to have the shopping cart page not secure, but once moving to the checkout > section to start the ssl security. > > Struts-config.xml > > <form-beans> > <form-bean name="ShoppingCartForm" > type="com.rana.release.forms.ShoppingCartForm" /> > <form-bean name="CheckoutForm" > type="com.rana.release.forms.ssl.CheckoutForm" /> > </form-beans> > > <action-mappings type="org.apache.struts.config.SecureActionConfig"> > <action path="/ShoppingCartAction" > type="com.rana.release.actions.ShoppingCartAction" > name="ShoppingCartForm" > scope="request"> > <set-property property="secure" value="true"/> > <forward name="update" path="/shoppingCart.jsp"/> > <forward name="checkout" path="/purchase.jsp"/> > <forward name="failure" path="/contacts.jsp"/> > </action> > <action path="/CheckoutAction" > type="com.rana.release.actions.ssl.CheckoutAction" > name="CheckoutForm" > scope="request"> > <set-property property="secure" value="true"/> > <forward name="success" path="/contacts.jsp"/> > </action> > </action-mappings> > > <plug-in className="org.apache.struts.action.SecurePlugIn"> > <set-property property="httpPort" value="8080"/> > <set-property property="httpsPort" value="8443"/> > <set-property property="enable" value="true"/> > </plug-in> > > I've tried to play with the secure settings, could you confirm these ? I > can't seem to make the app work correctly unless it's as the above > specified. > > The action classes currently only contain : > > System.out.println("...................>>>> whichAction"); > return (mapping.findForward("success")); > > and the formpages are very basic. The first page, shoppingCart.jsp: > > <sslext:pageScheme secure="false" /> > <html:form action="ShoppingCartAction" name="ShoppingCartForm" > type="com.rana.release.forms.ShoppingCartForm" scope="request" > method="POST"> > <td><html:text property="quantity" size="4"/></td> > <td align="right"><html:image property="checkout" > src="images/buttons/Checkout.jpg" border="0" /></td> > </html:form> > > I didn't use the sslext:form tag since it doesn't need to be encrypted. Also > I know the action says for it to be secured, and this to me doesn't quite > make sense, but it was the only way I could make it work. > > Lastly the checkout.jsp > > <!--<sslext:pageScheme secure="true" />--> > <sslext:form action="CheckoutAction" name="CheckoutForm" > type="com.rana.release.forms.ssl.CheckoutForm" scope="request" > method="POST"> > <td><input type="image" name="checkout" > src="images/buttons/referralRewardProgram.jpg" border="0"></td> > </sslext:form> > > I played with the sslext:pageScheme tag and I as I understand this is mostly > a check to verify that the page is indeed secure, in case someone came in > from just the address or what have you. > > And btw, the server.xml is : > > <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> > <Connector className="org.apache.catalina.connector.http.HttpConnector" > port="8443" minProcessors="5" maxProcessors="75" > enableLookups="true" > acceptCount="10" debug="0" scheme="https" secure="true"> > <Factory className="org.apache.catalina.net.SSLServerSocketFactory" > clientAuth="false" protocol="TLS"/> > > Thank you for the help, > Stephane > > > > ----- Original Message ----- > From: "Max Cooper" <[EMAIL PROTECTED]> > To: "Struts Users Mailing List" <[EMAIL PROTECTED]>; "Stephane > Grenier" <[EMAIL PROTECTED]> > Sent: Friday, September 12, 2003 5:41 PM > Subject: Re: sslext can only get it to post > > > > Stephane, > > > > The parameters are getting appended to the URL because sslext is doing a > > redirect. So the POST is probably working, but then sslext thinks the > > request should have arrived on the other port, and since you can't do a > POST > > in a redirect, sslext appends the POSTed data to the URL as a query string > > and sends that as a redirect. Finally, the redirect comes in as a GET with > > the params on the query string. The solution is to configure the app so > that > > the form will POST to the right port (i.e. have sslext write an absolute > URL > > for you) and won't have to redirect. > > > > The real strength of sslext is that you can specify which actions are > > secure, and then as long as you use the sslext tags to navigate to that > > action (either with a link or a form tag), sslext will get you there > WITHOUT > > HAVING TO DO A REDIRECT. That last part is important -- in my opinion, the > > app should be written such that sslext never has to do a redirect. It will > > do redirects for your convenience, but that is inefficient, turns POSTs > into > > GETs, and has some security problems (there is no point in making a page > > secure if you are going to submit a form without SSL and then redirect it > to > > the SSL port). > > > > An alternative approach is to "dip" your site one level deeper in SSL. For > > instance, if you want a form submittal to be secure, you can dip your site > > in the SSL a little deeper by specifying that BOTH the request that > displays > > the form and the form submittal request itself are secure. Technically, > you > > don't need to secure the request that displays the form, but by making it > > secure you avoid the redirect on the form submittal since you are already > on > > the secure port. If you end up getting a redirect at form submittal, the > > effort to secure that form has been a folly since the form data has > already > > passed over the network unencrypted twice and sticks in the browser's > > history after the redirect. I don't like this approach in most instances, > > and sslext gives you the power to do better without much effort. Here are > > some reasons I don't like it: > > 1) it is inefficient since it relies on using redirects to switch ports > > 2) it is inefficient since it requires sending more data over SSL than > > necessary (debatable) > > 3) it's too easy to inadvertently create security holes by forgetting to > > make the "display form" request secure > > 4) it is messy since you end up specifying which pages should be secure in > > several different ways (as opposed to ONLY doing it in struts-config.xml) > > > > Securing the "display form" request actually is appropriate in many > > instances, even though that request doesn't technically need to be > > encrypted. Users often want to get some feedback that they are working > > securely before filling out the form. But you can still achieve this goal > > without resorting to redirects. > > > > Of course doing it the "right" way requires that you use the sslext link > and > > form tags all over the place (any time the request could change ports), > > which can be hard to remember sometimes if you are used to the Struts > > versions. The sslext versions aren't any harder to use (just a few > > additional optional attributes); it's just remembering to use them in the > > first place that can be problematic. For this reason, I would REALLY like > to > > see sslext integrated into the Struts core. The only effect on users would > > be that they could now specify that an action (mapping) is to be secure, > > which is just how it should work. > > > > Holy crap, that turned into a bit of a rant. :-) Well, I hope you find the > > solution to your problem in there somewhere, and that perhaps some of this > > additional info is useful to you or other list members. > > > > -Max > > > > > > ----- Original Message ----- > > From: "Stephane Grenier" <[EMAIL PROTECTED]> > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > Sent: Friday, September 12, 2003 11:06 AM > > Subject: sslext can only get it to post > > > > > > Hello all. > > > > I've added sslext to my struts application. However I can't seem to get it > > to post (the parameters are appended to the url). In the jsp, the form tag > > is: > > > > <sslext:form action="ShoppingCartAction" name="ShoppingCartForm" > > type="com.rana.release.forms.ShoppingCartForm" scope="request" > > method="POST"> > > > > So as far as I can tell it should be a post. If I change the tabs from > > sslext to html then it puts the action in the url > > (http://localhost:8080/ShoppingCartAction.do). If I put the sslext it puts > > the jsp, the session id, and all the parameters. > > > > Thank you, > > Stephane > > > > > > > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]