Yes. Once SSL is installed for your container, the Struts custom tags and Action Mappings will automatically insert the correct references so that all the page and image links operate in SSL mode.
[Ted Husted] See
Here are some common configuration mistakes:
Here's a bird's eye overview
1. Install JSSE
2. Create a new keystore for certificate requests, using template that ships with Java
cp cacerts MY_SERVER.keystore
3. Change the default password
keytool -storepasswd -storepass changeit -new MY_KEYSTORE_PASSWORD -keystore data.keystore
4. Generate a key, specifying an alias to use for this certificate
keytool -genkey -keyalg RSA -alias MY_SERVER_ALIAS -storepass MY_KEYSTORE_PASSWORD -keystore data.keystore
Answer the questions, using your machine's fully-qualified name (www.myserver.com) for "first and last name".
Use the same password for the key (using another password is not implemented).
5. Create a certificate request, based on the key created for the alias (step 2).
keytool -certreq -alias MY_SERVER_ALIAS -store pass MY_SERVER_PASSWORD -keystore MY_SERVER.keystore
Capture the output to a text file (MY_SERVER.crs), being sure to keep a backup copy in a safe place. This is your Certificate Request.
6. Generate a test certificate with Thawte, or another authority, to be sure everything works, and import the certificate returned (MY_SERVER.crt) for this alias
keytool -import -alias MY_SERVER_ALAIS -storepass MY_SERVER_PASSWORD -keystore MY_SERVER.keystore -file MY_SERVER.crt
7. Repeat previous step to obtain a production certificate (unless you are self-signing for intranet use). When you import the production certificate, it will replace the test version.
[Eric Wang] I did a redirect instead of forward in the perform method of Action class.
String url = aMapping.findForward("somepath").getPath();
ActionForward fwd = new ActionForward( url, true );
return fwd;
I still couldn?t find a solution on how to switch from let's say http://localhost:myport/myapp/something.jsp to https://localhost:mysecureport/myapp/somethingelsethatneedstobesecure or even thesamepage.jsp while retaining response cloning the content of my sessioncontext ... I am using the urlrewriting-method to manage my sessions as far as my experience tells me i get two different sessionIDs for http://localhost:myport/myapp/something.jsp and the corresponding https://localhost:mysecureport/myapp/something.jsp, How can i copy the sessioncontext to the secure side and vice versa?
[Jonathan Asbell]:
1) check to see if you ACTUALLY GET the 2 sessions (if you can get them, do a session.toString() to see that they are not the same session indeed)
2) you should be sending the serialized data from the unsecure session into the secured session: if you are using an non visual jsp to process it would go something like this....
a) get the query string and hold it
b) get the data you want from the non-secure session, includeing the session id and encode it
c) make an name value pair for the session stuff and dont forget to encode the value (unsecure_session_contents=thedatayouareholdingfromthesession)
d) add the new name value pair to the query string you are holding
e) forward the whole shebang to the secure url you are going to.
f) on the secure side get the request and put the request.getParameter(unsecure_session_contents) into the new Secure session.
g) do the same for the return trip, but remember when you return you have to try to look up the session with the id you saved. If its gone its because you timed out.
[Ted Husted] I'm using a standalone container, and I find that everything works transparently (only one session) if I resort to hard coding the scheme. Right now, I'm doing this in the Struts-config.
<forward name="standard"
path="http://data.wxxi.org/wxxi-gavel/register/logon.jsp"/>
<forward name="secure"
path="https://data.wxxi.org/wxxi-gavel/register/logon.jsp"/>
which are called with code like this in the action
String url = null;
if (secureMode) {
url = mapping.findForward("secure").getPath();
ActionForward actionForward = new ActionForward(url,true);
return (actionForward);
}
else return (mapping.findForward("standard"));
where I'm tracking "secureMode" as a session attribute.
If they login or register in secure mode, I end the process with a [[BIG LINK ]] that routes them back to the http scheme.
Messy, but it gets me through the day.
I haven't had time to think about it, but it seems to me that we should be able to work this into the custom tags. Struts is very good about automagically converting the links when you switch schemes, so it seems to me we should be able to force the tags to one scheme or the other, when appropriate.
[Martin Cooper] You can collapse your code down to this:
return mapping.findForward(secureMode ? "secure" : "standard");
by adding redirect="true" to your secure forward definition in struts-config.
Speaking of schemes, any advice on the easiest way to flip between http: and https: -- the context being able to offer the option of logging in securely under https:, and then returning to http: afterwards.
[Craig McClananhan] You can calculate an absolute URL for this web app, based on things like request.getServerName(), request.getContextPath(), and so on. So, one way to do this would be to have an action that calculated the new absolute
URL, wrapped it in a new ActionForward with the "redirect" property set, and return that to the controller servlet. It looks pretty much like what you quoted in the mail message.
NOTE: Because the controller servlet calls encodeRedirectURL() for you on redirections, sessions should survive across this transfer whether or not you are using cookies.
If you're running on ports other than the default (80 and 443), you will probably also want a configuration parameter to define what the corresponding SSL and non-SSL ports are.