Thanks for the reply Adam.
I'll address your tips one by one.
>> I don't use the sslext form tags. I don't mention sslext anywhere in
my
>> code or my JSP. It's purely a configuration thing.
Ok, this I did differently. I followed the examples downloaded with
sslext
And used
<sslext:form ... instead of <html:form >
Now the weird thing is - I changed this back to <html:form> to try to do
what you do, but now it doesn't even use ssl at all!
If I change back to sslext, it uses ssl but never switches back to plain
http.
>> Are you setting up the SecurePlugin in struts-config?
Yes.
>> Also are sure that you are not specifying in the web.xml that the
page
>> should be protected by SSL?
Yes.
>> Do you have the latest version of sslext? They brought out 1.10-3
recently.
Yes, that's the version I have.
>> Are you sure there are no exceptions buried in your logs anywhere?
Checked that, everything looks ok
>> I don't follow your hotmail example either. Are you talking about
container-managed logins or roll-your-own?
Login or some other action, it doesn't matter. I used the hotmail
example
because it allows you to call an action over https, but the resulting
html page gets displayed over http. This is because the flow of hotmail
is
login page (over http) --> run login action (over https) --> display my
account.html page (over http again). So it switches back out of ssl for
the result of the action.
Now if I've understood what you have said to me correctly, this couldn't
happen with sslext. Because we would have to invoke a second action
which had the parameter
<set-property property="secure" value="false"/>
in order to get out of ssl after invoking any secure action.
Hope you understood this,
And thanks very much for all your help,
Brian
-----Original Message-----
From: Adam Hardy [mailto:[EMAIL PROTECTED]
Sent: 20 October 2003 11:43
To: Struts Users Mailing List
Subject: Re: Help setting up sslext
Hi Brian,
I don't use the sslext form tags. I don't mention sslext anywhere in my
code or my JSP. It's purely a configuration thing.
Are you setting up the SecurePlugin in struts-config?
Also are sure that you are not specifying in the web.xml that the page
should be protected by SSL?
Do you have the latest version of sslext? They brought out 1.10-3
recently.
Are you sure there are no exceptions buried in your logs anywhere?
I don't follow your hotmail example either. Are you talking about
container-managed logins or roll-your-own?
Adam
On 10/20/2003 12:41 PM Brian McSweeney wrote:
> It still isn't switching back to http for other actions when
> I specify
>
> <set-property property="secure" value="false"/>
>
> Perhaps I have to replace all <html:form tags with
>
> <sslext:form tags even when
>
> <set-property property="secure" value="false"/>
>
> At any rate, it doesn't seem to work the way I thought it would.
> For example, if you log into hotmail, it sends the username and
> password over ssl, and then switches back to http for the resulting
> pages. This it would seem is impossible to do with sslext because
> in order to switch back to http, you must call another action which
> has:
>
> <set-property property="secure" value="false"/>
>
> Correct me if I'm wrong with any of this.
>
> Thanks for all the help,
> Brian
>
>
> -----Original Message-----
> From: Adam Hardy [mailto:[EMAIL PROTECTED]
> Sent: 18 October 2003 09:29
> To: Struts Users Mailing List
> Subject: Re: Help setting up sslext
>
> The only time the protocol switches automatically (read: tomcat
switches
>
> it automatically) is when you specify SSL in the web.xml for a URL.
>
> To get it to switch back from SSL into unencrypted, putting
>
> <set-property property="secure" value="false"/>
>
> in the action mapping is necessary.
>
> HTH
> Adam
>
> On 10/17/2003 04:53 PM Brian McSweeney wrote:
>
>>I've put in the change in the action-mappings in the
>>struts-config.xml file
>>
>><action-mappings type="org.apache.struts.config.SecureActionConfig">
>>
>>but the problem is, ssl doesn't seem to be switching at all. The
>>action runs in https when I say it should, but all other actions then
>>continue to run in https. I was under the impression that they'd
>>switch back to normal http. Is this not correct?
>>
>>-----Original Message----- From: Adam Hardy
>>On 10/16/2003 05:13 PM Brian McSweeney wrote:
>>
>>>a) Change the action-mappings in the struts-config.xml file
>>><action-mappings
>>>type="org.apache.struts.config.SecureActionConfig">
>>>
>>>b) Change the web.xml file as follows:
>>><servlet-name>action</servlet-name>
>>>
>>><servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
>>> <!-- Struts Config --> <init-param>
>>><param-name>config</param-name>
>>><param-value>/WEB-INF/struts-config.xml</param-value> </init-param>
>>> <init-param> <param-name>mapping</param-name>
>>>
>
<param-value>org.apache.struts.action.SecureActionMapping</param-value>
>
>>></init-param>
>>>
>>>could someone tell me if either of these steps are necessary, or
>>>what else is necessary?
>>
>>Hi Brian, your (a) is definitely necessary to enable this:
>>
>><action path="/staticjavascriptssl"
>>forward="/WEB-INF/general/staticjavascript.jsp"> <set-property
>>property="secure" value="true"/> </action>
>>
>>I have not used, or heard of before, your (b). Perhaps it has the
>>same effect as (a).
--
--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
