struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anastasios Patrikis" <Anastasios.Patri...@prodyna.de>
Subject [S2] Using SSL, HTTP, HTTPS and invoking Action classes
Date Wed, 23 Jul 2008 10:20:13 GMT
Hi,

I have problem in switching my application context from http to https an
back again.
Because I am new to Struts I am not sure if I use the framework the
right way, so any help or hint is greatly appreciated

Here is the task: I have some pages in my application which are
available via http. There is a step in which the user is requested to
enter some personal data, and the user can create a account. This page
should be secured using SSL on a https site. Later on, the user should
be redirected back to http.


First problem: I do not know if the setup for using SSL is "the Struts
way" because it is quiet hard to find information in how to use SSL and
Struts.
However, this is how I configured the application.

- in web.xml I added the action which causes the switch from http to
https:
<security-constraint>
	<web-resource-collection>
		<!-- login -->
		<url-pattern>/Login.action</url-pattern>
	</web-resource-collection>
	<user-data-constraint>
		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
	</user-data-constraint>
</security-constraint>

- in struts.xml I have a definition for the action:
<action name="Login" class="com.action.CustomerLoginAction"
method="userLogin">
      <result name="error">/ErrorPage.jsp</result>
      <result>/LoginPage.jsp</result>
</action>

- as all following request are made in the secured context I wrote a
simple action class for redirecting back to http.

First question is if this is the right way. It seems to be a quiet
complicated solution for a common task.


Second problem: without changing into a secure context (no
"security-constraint" in web.xml) I can call my action class and some
properties are set by the framework calling the appropriate "set"
methods. After applying the "security-constraint" in the web.xml file
the "set" methods are not invoked any more.

Second question: is this the behavior by design? How should I set the
necessary properties, by using session variables? I found an article
which describes a problem by using a session variable in combination
with SSL: http://forums.opensymphony.com/thread.jspa?messageID=130588.
Once again I think my solution is to complicated and this task is
supported by the framework without me knowing how to do it a better way.

Best regards,

Anastasios.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message