Hi Hi Paweł,
i tried all the way in secure way
i implimented SSL and now my tomcat is running on port 8443 usinh https
protocol
i have created a custom interceptor for setting the header values
when user click logg off button this custom interceptor is working setting
the header values below is the code i am using
ActionContext context=invocation.getInvocationContext();
HttpServletResponse
response=(HttpServletResponse)context.get(StrutsStatics.HTTP_RESPONSE);
if(response!=null){
System.out.println("**********setting
header**************");
response.setHeader("Cache-Control", "must-revalidate");
response.setHeader("Cache-Control", "max-age=0");
response.setHeader("Pragma", "no-cache");//HTTP 1.1
response.setDateHeader ("Expires", 0); //prevents caching at
the proxy
response.setHeader("Cache-Control","no-store"); //HTTP 1.1
}
and on my logot message i have something like this
<META content="MSHTML 6.00.2900.2180" name=GENERATOR>
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<META HTTP-EQUIV="EXPIRES" CONTENT="-1">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
but still results are same
i can go back to secure page using browser back button
any idea why this is going on??
or do i need to set anything apart from this?
-shekher
On Fri, Jan 23, 2009 at 9:06 PM, shekher awasthi
<shekher.awas...@gmail.com>wrote:
> Can you guide me the way how to use SSL in struts2 i am looking in to this
>
> IDE i am using is MyEclispe
>
> and i am testing it using tomcat
>
> On Fri, Jan 23, 2009 at 7:33 PM, Paweł Wielgus <poulw...@gmail.com> wrote:
>
>> Hi Shekher,
>> all my testing was under SSL connection. So without pragma and cache
>> control it's not working - sadly.
>>
>> Best greetings,
>> Paweł Wielgus.
>>
>> 2009/1/22 shekher awasthi <shekher.awas...@gmail.com>:
>> > Hi Paweł,
>> >
>> > another way we can do this by using SSL
>> > as we are dealing in secure zone so using SSL for this might be a good
>> case.
>> >
>> > the application i have seen so far who have dealt with this back/forward
>> > button always using HTTPS protocol.
>> >
>> > i am also diving in to this case study and will share the results
>> >
>> >
>> > On 1/22/09, shekher awasthi <shekher.awas...@gmail.com> wrote:
>> >>
>> >> one of the banking application site which i tested today
>> >>
>> >> when user get logged off from and try to hit the back button he will be
>> >> shown a different page
>> >> instead the one in the cache
>> >> so i am also loking in to this aspect.
>> >>
>> >>
>> >> On 1/22/09, shekher awasthi <shekher.awas...@gmail.com> wrote:
>> >>>
>> >>> using javascript is not a sure short solution
>> >>> as i tested it throughly and javascript behaviour is not consistent
>> >>> throught
>> >>>
>> >>> regarding setting header i did this i developed a custom interceptor
>> which
>> >>> is doing this
>> >>>
>> >>> but again its not worked as expected.
>> >>> i am still clueless how online banking application doing this trick
>> >>>
>> >>> i am still on R&D mode for this if find anything will share it
>> >>>
>> >>>
>> >>> On 1/22/09, Paweł Wielgus <poulw...@gmail.com> wrote:
>> >>>>
>> >>>> Hi Ehtesham,
>> >>>> it was said before on this thread that user can simply turn of
>> >>>> javascript whenever he wants,
>> >>>> thats why i was looking for more server controlled solution. But
>> thank
>> >>>> You for pointing it out, You made me to add it to my blog post.
>> >>>>
>> >>>> Best greetings,
>> >>>> Paweł Wielgus.
>> >>>>
>> >>>> 2009/1/22 Ehteshamul Haque <ehsho...@yahoo.com>:
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>> > Hi,
>> >>>> >
>> >>>> > I am not that much expert I I used the following javascript code
>> before
>> >>>> in each page and it workded fine.
>> >>>> >
>> >>>> >
>> >>>> > <script language="JavaScript">
>> >>>> > var x=window.history.length;
>> >>>> > if (window.history[x]!=window.location)
>> >>>> > {
>> >>>> > window.history.forward();
>> >>>> > }
>> >>>> > </script>
>> >>>> >
>> >>>> > If it work for you I will be very happy.
>> >>>> >
>> >>>> > Thank you.
>> >>>> >
>> >>>> > -Ehtesham
>> >>>> >
>> >>>> >
>> >>>> > --- On Thu, 1/22/09, Paweł Wielgus <poulw...@gmail.com> wrote:
>> >>>> >
>> >>>> > From: Paweł Wielgus <poulw...@gmail.com>
>> >>>> > Subject: Re: Handling Browser Back/Forward Button in Struts2
>> >>>> > To: "Struts Users Mailing List" <user@struts.apache.org>
>> >>>> > Date: Thursday, January 22, 2009, 12:34 AM
>> >>>> >
>> >>>> > Hi Shekher,
>> >>>> > it was very interesting subject, so i dig a little more.
>> >>>> > Here [1] is what i found, with some tests.
>> >>>> > Basicly it turns out that You should add headers in page and to
>> >>>> response.
>> >>>> >
>> >>>> > [1] -
>> >>>>
>> http://poulwiel.blogspot.com/2009/01/browser-back-button-and-caching-problem.html
>> >>>> >
>> >>>> > Best greetings,
>> >>>> > Paweł Wielgus.
>> >>>> >
>> >>>> > 2009/1/21 shekher awasthi <shekher.awas...@gmail.com>:
>> >>>> >> Is it possible that either i should only put these header in the
>> >>>> logout
>> >>>> >> action
>> >>>> >>
>> >>>> >> where i am removing the session and den redirecting the user to
>> index
>> >>>> page
>> >>>> >> something like this
>> >>>> >>
>> >>>> >> HttpServletResponse response=null;
>> >>>> >> response=ServletActionContext.getResponse();
>> >>>> >>
>> >>>> >> response.setHeader("Pragma", "no-cache");
>> >>>> >> response.setHeader("Cache-Control", "no-cache");
>> >>>> >> response.setHeader("Expires", "0");
>> >>>> >>
>> >>>> >> or can we create a interceptor which can do this for all the
>> request
>> >>>> wheer
>> >>>> >> we want this feature??
>> >>>> >>
>> >>>> >> 2009/1/21 shekher awasthi <shekher.awas...@gmail.com>
>> >>>> >>
>> >>>> >>> i tried using setting the eader values but they are not working
>> as
>> >>>> expected
>> >>>> >>> i can even
>> >>>> >>>
>> >>>> >>> go and move back using broswer back button.
>> >>>> >>>
>> >>>> >>> if i will find anything helpfull will share with you
>> >>>> >>> till then hard luck
>> >>>> >>> :)
>> >>>> >>>
>> >>>> >>> 2009/1/21 Paweł Wielgus <poulw...@gmail.com>
>> >>>> >>>
>> >>>> >>> Hi Shekher,
>> >>>> >>>> what i meant is that it can be done from server side.
>> >>>> >>>> Check for example Your e-banking application, i did it on mine
>> :-).
>> >>>> >>>> There, when You press back button browser won't serve You cached
>> >>>> page
>> >>>> >>>> but ask server for fresh one - this is controlled with
>> content-cache
>> >>>> >>>> and pragma, but i can't be more helpfull to You here because i
>> >>>> haven't
>> >>>> >>>> done it before.
>> >>>> >>>>
>> >>>> >>>> Best greetings,
>> >>>> >>>> Paweł Wielgus.
>> >>>> >>>>
>> >>>> >>>>
>> >>>> >>>> 2009/1/21 shekher awasthi <shekher.awas...@gmail.com>:
>> >>>> >>>> > Hi Paweł,
>> >>>> >>>> >
>> >>>> >>>> > thats true it only send request to server if i will refresh
>> the
>> >>>> page
>> >>>> >>>> and
>> >>>> >>>> > for that i have already custom interceptor places which is
>> >>>> checking the
>> >>>> >>>> user
>> >>>> >>>> > object in session in order to confirm that the request is from
>> >>>> >>>> authorized
>> >>>> >>>> > user
>> >>>> >>>> >
>> >>>> >>>> > but when i make use of back button it serve the page from the
>> >>>> local
>> >>>> >>>> > chache,so the problem is related to client side more than that
>> of
>> >>>> server
>> >>>> >>>> > handling
>> >>>> >>>> >
>> >>>> >>>> > still trying to find a firm solution for it
>> >>>> >>>> >
>> >>>> >>>> > 2009/1/20 Paweł Wielgus <poulw...@gmail.com>
>> >>>> >>>> >
>> >>>> >>>> >> Hi Shekher,
>> >>>> >>>> >> first try this scenario:
>> >>>> >>>> >> 1. logout user
>> >>>> >>>> >> 2. back button - check for logs if action was fired
>> >>>> >>>> >> 3. refresh page - check for logs if action was fired
>> >>>> >>>> >> Most likely only the 3. will fire action because browser will
>> >>>> serve
>> >>>> >>>> >> cached version of that page.
>> >>>> >>>> >> I was about to write that to deal with it You can use https
>> >>>> scheme,
>> >>>> >>>> >> but i just got it checked and it's not true. So maybe using
>> >>>> pragma and
>> >>>> >>>> >> or cache-control will do?
>> >>>> >>>> >>
>> >>>> >>>> >> Still user can disable javascript so solution with script
>> might
>> >>>> not
>> >>>> >>>> work.
>> >>>> >>>> >> If You find out anything more please let us know.
>> >>>> >>>> >>
>> >>>> >>>> >> Best greetings,
>> >>>> >>>> >> Paweł Wielgus.
>> >>>> >>>> >>
>> >>>> >>>> >>
>> >>>> >>>> >> 2009/1/20 Robert Graf-Waczenski <r...@lsoft.com>:
>> >>>> >>>> >> > You don't write if the browser back button is supposed to
>> be
>> >>>> >>>> functional
>> >>>> >>>> >> in
>> >>>> >>>> >> > your application (in many cases it is not, but YMMV).
>> >>>> >>>> >> >
>> >>>> >>>> >> > If you want to disable the browser back button, use the
>> code
>> >>>> below in
>> >>>> >>>> all
>> >>>> >>>> >> > your pages:
>> >>>> >>>> >> >
>> >>>> >>>> >> > <script type="text/javascript">
>> >>>> >>>> >> > history.forward();
>> >>>> >>>> >> > </script>
>> >>>> >>>> >> >
>> >>>> >>>> >> > I'm not aware of any feature in Struts2 that deals with the
>> >>>> browser
>> >>>> >>>> back
>> >>>> >>>> >> > button.
>> >>>> >>>> >> >
>> >>>> >>>> >> > Robert
>> >>>> >>>> >> >
>> >>>> >>>> >> >
>> >>>> >>>> >> > shekher awasthi wrote:
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> Hi All,
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> in the process of developing application using struts
>> 2.0.11,
>> >>>> i came
>> >>>> >>>> >> >> across
>> >>>> >>>> >> >> the problem of handling browser back/forward button.
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> This problem is occurring when we will logout the user.On
>> >>>> Clicking
>> >>>> >>>> the
>> >>>> >>>> >> >> logout button we are currently removing the user from the
>> >>>> session
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> and it worked fine for us. After the successful logout
>> process
>> >>>> user
>> >>>> >>>> will
>> >>>> >>>> >> >> be
>> >>>> >>>> >> >> redirected to the index page(which have the login field),
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> but when user hits the browser back button he is getting
>> >>>> himself
>> >>>> >>>> there
>> >>>> >>>> >> in
>> >>>> >>>> >> >> the secure page even we have remove the user object from
>> the
>> >>>> session
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> below is the code we are using for removing the user
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> session.remove(BSConstant.USER);
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> i am clueless where we are doing wrong , as we think we
>> are
>> >>>> having
>> >>>> >>>> two
>> >>>> >>>> >> >> points
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> 1) Either the user is not getting removed from the
>> session,but
>> >>>> the
>> >>>> >>>> >> chances
>> >>>> >>>> >> >> are very less as for all other call after logout it is
>> forcing
>> >>>> the
>> >>>> >>>> user
>> >>>> >>>> >> to
>> >>>> >>>> >> >> login first.
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> 2) Back button handling is not there
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> my question is, Is there any way in struts2 to handle
>> browser
>> >>>> >>>> >> back/forward
>> >>>> >>>> >> >> button or do i need to use some other technique like
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> setting response header
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> any suggestion in this regard will be much appreciated.
>> >>>> >>>> >> >>
>> >>>> >>>> >> >> -s
>> >>>> >>>> >> >>
>> >>>> >>>> >> >>
>> >>>> >>>> >> >
>> >>>> >>>> >> >
>> >>>> >>>> >> >
>> >>>> ---------------------------------------------------------------------
>> >>>> >>>> >> > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>> >>>> >>>> >> > For additional commands, e-mail:
>> user-h...@struts.apache.org
>> >>>> >>>> >> >
>> >>>> >>>> >> >
>> >>>> >>>> >>
>> >>>> >>>> >>
>> >>>> ---------------------------------------------------------------------
>> >>>> >>>> >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>> >>>> >>>> >> For additional commands, e-mail: user-h...@struts.apache.org
>> >>>> >>>> >>
>> >>>> >>>> >>
>> >>>> >>>> >
>> >>>> >>>>
>> >>>> >>>>
>> >>>> ---------------------------------------------------------------------
>> >>>> >>>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>> >>>> >>>> For additional commands, e-mail: user-h...@struts.apache.org
>> >>>> >>>>
>> >>>> >>>>
>> >>>> >>>
>> >>>> >>
>> >>>> >
>> >>>> >
>> ---------------------------------------------------------------------
>> >>>> > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>> >>>> > For additional commands, e-mail: user-h...@struts.apache.org
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>>
>> >>>> ---------------------------------------------------------------------
>> >>>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>> >>>> For additional commands, e-mail: user-h...@struts.apache.org
>> >>>>
>> >>>>
>> >>>
>> >>
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>> For additional commands, e-mail: user-h...@struts.apache.org
>>
>>
>
