0

I have an Interceptor on Struts2, and I want for some pages to redirect to the ssl version of them.

Example: http://localhost/xhtml/path.do?ossesionid=value1 to https://localhost/xhtml/path.do?ossesionid=value1

For doing this I created a Interceptor that does this: 

public String intercept(ActionInvocation invocation) throws Exception {

    // initialize request and response
    final ActionContext context = invocation.getInvocationContext();
    final HttpServletRequest request = (HttpServletRequest) context
            .get(StrutsStatics.HTTP_REQUEST);
    final HttpServletResponse response = (HttpServletResponse) context
            .get(StrutsStatics.HTTP_RESPONSE);

    // check scheme
    String scheme = request.getScheme().toLowerCase();

    // check method
    String method = request.getMethod().toUpperCase();

    // If the action class uses the SSLProtected marker annotation, then see
    // if we need to
    // redirect to the SSL protected version of this page
    if (invocation.getAction() instanceof SSLProtected) {

        if (HTTP_GET.equals(method) && SCHEME_HTTP.equals(scheme)) {

            // initialize https port
            String httpsPortParam = request.getSession().getServletContext().getInitParameter(HTTP_PORT_PARAM);
            int httpsPort = httpsPortParam == null ? HTTPS_PORT : Integer.parseInt(httpsPortParam);

            response.setCharacterEncoding("UTF-8");

            URI uri = new URI(SCHEME_HTTPS, null, request.getServerName(), httpsPort, response.encodeRedirectURL(request.getRequestURI()), request.getQueryString(), null);

            log.debug("Going to SSL mode, redirecting to " + uri.toString());

            response.sendRedirect(uri.toString());
            return null;
        }
    }

My problem is that I expect this 

https://localhost/xhtml/path.do?ossesionid=value1

and got 

https://localhost/xhtml/path.do;jsessionid=value1?osessionid=value1

And I'm Completly lost! help anyone?

chudi
  • 45
  • 5
  • If you want access to these pages to be secure, don't rely on automatic redirections (via `mod_rewrite` or `sendRedirect`, ...). Make your links use `https://`. Anything else will just give you a false sense of security (more details in [this answer](http://webmasters.stackexchange.com/a/28443/11628).) – Bruno Apr 19 '12 at 18:43
  • Thanks, but that isn't the issue, I know that is the wrong approach, but my problem is that the parameters are wrong! – chudi Apr 19 '12 at 18:48
  • what exactly is your issue? are you talking about the jsessionid being generated? – Umesh Awasthi Apr 19 '12 at 18:52
  • @UmeshAwasthi yes! I dont know why it changes ?o to ;j – chudi Apr 19 '12 at 18:53

1 Answers1

0

i strongly suggest you to use S2-SSL plugin which is more flexible and provides a much better support to handle switch from SSL to non-SSL and vice-versa.

regarding generation of Jsessionid,JSESSIONID cookie is created/sent when session is created. Session is created when your code calls request.getSession() or request.getSession(true) for the first time. If you just want get session.You have ways to disable the creation of Jsessionid

There are number of way you can disable the creation of this id, please refer to this discussion thread.

I am still not sure what is the problem you are facing with this session-id as it is a very common case in web applications

Community
  • 1
  • 1
Umesh Awasthi
  • 23,407
  • 37
  • 132
  • 204
  • that was the problem I was thinking that my parameter osessionid was being rewrited to jsessionid and didnt know why!, thanks! – chudi Apr 19 '12 at 19:27
  • Following the path that Umesh pointed, I managed to disable the write of JSESSIONID to the url I'm using jboss, put this in web.xml for the jsessionid to be cookie only In web.xml add: COOKIE – chudi Apr 19 '12 at 19:33