I am working on a website for the government. It is a .mil site, so it has a number of security hoops to jump through and we need to deal with a specialized webhost filled with govt employees who think it is ok spring crap on us and FUBAR the project schedule at the last minute because, hey, they won't be reprimanded because they work for the govt - but that is beside the point.
I built them a Struts app that has a form for collecting non sensitive information which normally would not require SSL, but a week before we were to launch the app, the webhost - which in this situation can dictate how things need to be done (because of .mil) tells us that the form needs to be put behind a SSL.
The app is essentially an order form, but not in the e-commerce sense, there is no transaction and there is no shipping to an individual's address. The materials are free so all teh iuser needs to do is select the stuff they want and add shipping info on another page - the address needs to be on a master list - it will be a base as opposed to a house. The shipping form is the page that needs to be behind SSL.
Because it was a Struts app, we wanted to put a forward on the index of the domain that will send the user to the SSL box - a seperate machine - and serve the entire site from behind there.
The host balked at this saying it was too much of a headache for them - boo hoo - and wanted to simply put the "form" on the SSL. The kick is tha the "form" is merely the 2nd step in a 3 step process. The action of step 1 adds the materials they are requesting
The problem is that the peopel I am dealing with are not really qualified and would not be hired ata real webhost. They had to look up what Struts was when we said we wanted to build the site using this technology and Iam convinced they think that this is like adding a html page to the SSL layer - they don't understand that it is a Tile spage that is essentially 5 shared pages and a form.
In my 5 years of doing this, I have dealt with SSL once - on a PHP app, not struts. So my questions are as follows:
My solution to serve one page will be to mock up a page that looks exactly like the Struts page, but is actually a jsp or html page that gets forwarded to when the user starts the process, the action will be the Struts action on teh old server and when the user goes back to it, the session data will already exist.
Does this sound plausible, unfortunately it is the best I can do without rebuilding the app - which is out of the question anyway.