Hi Hi Paweł, i tried all the way in secure way
i implimented SSL and now my tomcat is running on port 8443 usinh https protocol i have created a custom interceptor for setting the header values when user click logg off button this custom interceptor is working setting the header values below is the code i am using ActionContext context=invocation.getInvocationContext(); HttpServletResponse response=(HttpServletResponse)context.get(StrutsStatics.HTTP_RESPONSE); if(response!=null){ System.out.println("**********setting header**************"); response.setHeader("Cache-Control", "must-revalidate"); response.setHeader("Cache-Control", "max-age=0"); response.setHeader("Pragma", "no-cache");//HTTP 1.1 response.setDateHeader ("Expires", 0); //prevents caching at the proxy response.setHeader("Cache-Control","no-store"); //HTTP 1.1 } and on my logot message i have something like this <META content="MSHTML 6.00.2900.2180" name=GENERATOR> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"> <META HTTP-EQUIV="EXPIRES" CONTENT="-1"> <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> but still results are same i can go back to secure page using browser back button any idea why this is going on?? or do i need to set anything apart from this? -shekher On Fri, Jan 23, 2009 at 9:06 PM, shekher awasthi <shekher.awas...@gmail.com>wrote: > Can you guide me the way how to use SSL in struts2 i am looking in to this > > IDE i am using is MyEclispe > > and i am testing it using tomcat > > On Fri, Jan 23, 2009 at 7:33 PM, Paweł Wielgus <poulw...@gmail.com> wrote: > >> Hi Shekher, >> all my testing was under SSL connection. So without pragma and cache >> control it's not working - sadly. >> >> Best greetings, >> Paweł Wielgus. >> >> 2009/1/22 shekher awasthi <shekher.awas...@gmail.com>: >> > Hi Paweł, >> > >> > another way we can do this by using SSL >> > as we are dealing in secure zone so using SSL for this might be a good >> case. >> > >> > the application i have seen so far who have dealt with this back/forward >> > button always using HTTPS protocol. >> > >> > i am also diving in to this case study and will share the results >> > >> > >> > On 1/22/09, shekher awasthi <shekher.awas...@gmail.com> wrote: >> >> >> >> one of the banking application site which i tested today >> >> >> >> when user get logged off from and try to hit the back button he will be >> >> shown a different page >> >> instead the one in the cache >> >> so i am also loking in to this aspect. >> >> >> >> >> >> On 1/22/09, shekher awasthi <shekher.awas...@gmail.com> wrote: >> >>> >> >>> using javascript is not a sure short solution >> >>> as i tested it throughly and javascript behaviour is not consistent >> >>> throught >> >>> >> >>> regarding setting header i did this i developed a custom interceptor >> which >> >>> is doing this >> >>> >> >>> but again its not worked as expected. >> >>> i am still clueless how online banking application doing this trick >> >>> >> >>> i am still on R&D mode for this if find anything will share it >> >>> >> >>> >> >>> On 1/22/09, Paweł Wielgus <poulw...@gmail.com> wrote: >> >>>> >> >>>> Hi Ehtesham, >> >>>> it was said before on this thread that user can simply turn of >> >>>> javascript whenever he wants, >> >>>> thats why i was looking for more server controlled solution. But >> thank >> >>>> You for pointing it out, You made me to add it to my blog post. >> >>>> >> >>>> Best greetings, >> >>>> Paweł Wielgus. >> >>>> >> >>>> 2009/1/22 Ehteshamul Haque <ehsho...@yahoo.com>: >> >>>> > >> >>>> > >> >>>> > >> >>>> > Hi, >> >>>> > >> >>>> > I am not that much expert I I used the following javascript code >> before >> >>>> in each page and it workded fine. >> >>>> > >> >>>> > >> >>>> > <script language="JavaScript"> >> >>>> > var x=window.history.length; >> >>>> > if (window.history[x]!=window.location) >> >>>> > { >> >>>> > window.history.forward(); >> >>>> > } >> >>>> > </script> >> >>>> > >> >>>> > If it work for you I will be very happy. >> >>>> > >> >>>> > Thank you. >> >>>> > >> >>>> > -Ehtesham >> >>>> > >> >>>> > >> >>>> > --- On Thu, 1/22/09, Paweł Wielgus <poulw...@gmail.com> wrote: >> >>>> > >> >>>> > From: Paweł Wielgus <poulw...@gmail.com> >> >>>> > Subject: Re: Handling Browser Back/Forward Button in Struts2 >> >>>> > To: "Struts Users Mailing List" <user@struts.apache.org> >> >>>> > Date: Thursday, January 22, 2009, 12:34 AM >> >>>> > >> >>>> > Hi Shekher, >> >>>> > it was very interesting subject, so i dig a little more. >> >>>> > Here [1] is what i found, with some tests. >> >>>> > Basicly it turns out that You should add headers in page and to >> >>>> response. >> >>>> > >> >>>> > [1] - >> >>>> >> http://poulwiel.blogspot.com/2009/01/browser-back-button-and-caching-problem.html >> >>>> > >> >>>> > Best greetings, >> >>>> > Paweł Wielgus. >> >>>> > >> >>>> > 2009/1/21 shekher awasthi <shekher.awas...@gmail.com>: >> >>>> >> Is it possible that either i should only put these header in the >> >>>> logout >> >>>> >> action >> >>>> >> >> >>>> >> where i am removing the session and den redirecting the user to >> index >> >>>> page >> >>>> >> something like this >> >>>> >> >> >>>> >> HttpServletResponse response=null; >> >>>> >> response=ServletActionContext.getResponse(); >> >>>> >> >> >>>> >> response.setHeader("Pragma", "no-cache"); >> >>>> >> response.setHeader("Cache-Control", "no-cache"); >> >>>> >> response.setHeader("Expires", "0"); >> >>>> >> >> >>>> >> or can we create a interceptor which can do this for all the >> request >> >>>> wheer >> >>>> >> we want this feature?? >> >>>> >> >> >>>> >> 2009/1/21 shekher awasthi <shekher.awas...@gmail.com> >> >>>> >> >> >>>> >>> i tried using setting the eader values but they are not working >> as >> >>>> expected >> >>>> >>> i can even >> >>>> >>> >> >>>> >>> go and move back using broswer back button. >> >>>> >>> >> >>>> >>> if i will find anything helpfull will share with you >> >>>> >>> till then hard luck >> >>>> >>> :) >> >>>> >>> >> >>>> >>> 2009/1/21 Paweł Wielgus <poulw...@gmail.com> >> >>>> >>> >> >>>> >>> Hi Shekher, >> >>>> >>>> what i meant is that it can be done from server side. >> >>>> >>>> Check for example Your e-banking application, i did it on mine >> :-). >> >>>> >>>> There, when You press back button browser won't serve You cached >> >>>> page >> >>>> >>>> but ask server for fresh one - this is controlled with >> content-cache >> >>>> >>>> and pragma, but i can't be more helpfull to You here because i >> >>>> haven't >> >>>> >>>> done it before. >> >>>> >>>> >> >>>> >>>> Best greetings, >> >>>> >>>> Paweł Wielgus. >> >>>> >>>> >> >>>> >>>> >> >>>> >>>> 2009/1/21 shekher awasthi <shekher.awas...@gmail.com>: >> >>>> >>>> > Hi Paweł, >> >>>> >>>> > >> >>>> >>>> > thats true it only send request to server if i will refresh >> the >> >>>> page >> >>>> >>>> and >> >>>> >>>> > for that i have already custom interceptor places which is >> >>>> checking the >> >>>> >>>> user >> >>>> >>>> > object in session in order to confirm that the request is from >> >>>> >>>> authorized >> >>>> >>>> > user >> >>>> >>>> > >> >>>> >>>> > but when i make use of back button it serve the page from the >> >>>> local >> >>>> >>>> > chache,so the problem is related to client side more than that >> of >> >>>> server >> >>>> >>>> > handling >> >>>> >>>> > >> >>>> >>>> > still trying to find a firm solution for it >> >>>> >>>> > >> >>>> >>>> > 2009/1/20 Paweł Wielgus <poulw...@gmail.com> >> >>>> >>>> > >> >>>> >>>> >> Hi Shekher, >> >>>> >>>> >> first try this scenario: >> >>>> >>>> >> 1. logout user >> >>>> >>>> >> 2. back button - check for logs if action was fired >> >>>> >>>> >> 3. refresh page - check for logs if action was fired >> >>>> >>>> >> Most likely only the 3. will fire action because browser will >> >>>> serve >> >>>> >>>> >> cached version of that page. >> >>>> >>>> >> I was about to write that to deal with it You can use https >> >>>> scheme, >> >>>> >>>> >> but i just got it checked and it's not true. So maybe using >> >>>> pragma and >> >>>> >>>> >> or cache-control will do? >> >>>> >>>> >> >> >>>> >>>> >> Still user can disable javascript so solution with script >> might >> >>>> not >> >>>> >>>> work. >> >>>> >>>> >> If You find out anything more please let us know. >> >>>> >>>> >> >> >>>> >>>> >> Best greetings, >> >>>> >>>> >> Paweł Wielgus. >> >>>> >>>> >> >> >>>> >>>> >> >> >>>> >>>> >> 2009/1/20 Robert Graf-Waczenski <r...@lsoft.com>: >> >>>> >>>> >> > You don't write if the browser back button is supposed to >> be >> >>>> >>>> functional >> >>>> >>>> >> in >> >>>> >>>> >> > your application (in many cases it is not, but YMMV). >> >>>> >>>> >> > >> >>>> >>>> >> > If you want to disable the browser back button, use the >> code >> >>>> below in >> >>>> >>>> all >> >>>> >>>> >> > your pages: >> >>>> >>>> >> > >> >>>> >>>> >> > <script type="text/javascript"> >> >>>> >>>> >> > history.forward(); >> >>>> >>>> >> > </script> >> >>>> >>>> >> > >> >>>> >>>> >> > I'm not aware of any feature in Struts2 that deals with the >> >>>> browser >> >>>> >>>> back >> >>>> >>>> >> > button. >> >>>> >>>> >> > >> >>>> >>>> >> > Robert >> >>>> >>>> >> > >> >>>> >>>> >> > >> >>>> >>>> >> > shekher awasthi wrote: >> >>>> >>>> >> >> >> >>>> >>>> >> >> Hi All, >> >>>> >>>> >> >> >> >>>> >>>> >> >> in the process of developing application using struts >> 2.0.11, >> >>>> i came >> >>>> >>>> >> >> across >> >>>> >>>> >> >> the problem of handling browser back/forward button. >> >>>> >>>> >> >> >> >>>> >>>> >> >> This problem is occurring when we will logout the user.On >> >>>> Clicking >> >>>> >>>> the >> >>>> >>>> >> >> logout button we are currently removing the user from the >> >>>> session >> >>>> >>>> >> >> >> >>>> >>>> >> >> and it worked fine for us. After the successful logout >> process >> >>>> user >> >>>> >>>> will >> >>>> >>>> >> >> be >> >>>> >>>> >> >> redirected to the index page(which have the login field), >> >>>> >>>> >> >> >> >>>> >>>> >> >> but when user hits the browser back button he is getting >> >>>> himself >> >>>> >>>> there >> >>>> >>>> >> in >> >>>> >>>> >> >> the secure page even we have remove the user object from >> the >> >>>> session >> >>>> >>>> >> >> >> >>>> >>>> >> >> below is the code we are using for removing the user >> >>>> >>>> >> >> >> >>>> >>>> >> >> session.remove(BSConstant.USER); >> >>>> >>>> >> >> >> >>>> >>>> >> >> i am clueless where we are doing wrong , as we think we >> are >> >>>> having >> >>>> >>>> two >> >>>> >>>> >> >> points >> >>>> >>>> >> >> >> >>>> >>>> >> >> 1) Either the user is not getting removed from the >> session,but >> >>>> the >> >>>> >>>> >> chances >> >>>> >>>> >> >> are very less as for all other call after logout it is >> forcing >> >>>> the >> >>>> >>>> user >> >>>> >>>> >> to >> >>>> >>>> >> >> login first. >> >>>> >>>> >> >> >> >>>> >>>> >> >> 2) Back button handling is not there >> >>>> >>>> >> >> >> >>>> >>>> >> >> my question is, Is there any way in struts2 to handle >> browser >> >>>> >>>> >> back/forward >> >>>> >>>> >> >> button or do i need to use some other technique like >> >>>> >>>> >> >> >> >>>> >>>> >> >> setting response header >> >>>> >>>> >> >> >> >>>> >>>> >> >> any suggestion in this regard will be much appreciated. >> >>>> >>>> >> >> >> >>>> >>>> >> >> -s >> >>>> >>>> >> >> >> >>>> >>>> >> >> >> >>>> >>>> >> > >> >>>> >>>> >> > >> >>>> >>>> >> > >> >>>> --------------------------------------------------------------------- >> >>>> >>>> >> > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> >>>> >>>> >> > For additional commands, e-mail: >> user-h...@struts.apache.org >> >>>> >>>> >> > >> >>>> >>>> >> > >> >>>> >>>> >> >> >>>> >>>> >> >> >>>> --------------------------------------------------------------------- >> >>>> >>>> >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> >>>> >>>> >> For additional commands, e-mail: user-h...@struts.apache.org >> >>>> >>>> >> >> >>>> >>>> >> >> >>>> >>>> > >> >>>> >>>> >> >>>> >>>> >> >>>> --------------------------------------------------------------------- >> >>>> >>>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> >>>> >>>> For additional commands, e-mail: user-h...@struts.apache.org >> >>>> >>>> >> >>>> >>>> >> >>>> >>> >> >>>> >> >> >>>> > >> >>>> > >> --------------------------------------------------------------------- >> >>>> > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> >>>> > For additional commands, e-mail: user-h...@struts.apache.org >> >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> >> >>>> --------------------------------------------------------------------- >> >>>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> >>>> For additional commands, e-mail: user-h...@struts.apache.org >> >>>> >> >>>> >> >>> >> >> >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> >