Recipe11.11.Configuring Actions to Require SSL


Recipe 11.11. Configuring Actions to Require SSL

Problem

You want to control if HTTPS is required on a page-by-page basis.

Solution

Use the SSLEXT Struts extension.

Discussion

The Struts SSL Extension (SSLEXT), an open source Struts plug-in, enables you to indicate if an action requires the secure (https) protocol. Steve Ditlinger created and maintains this project (with others), hosted at http://sslext.sourceforge.net.

SSLEXT enables fine-grained secure protocol control by providing:

  • The ability to specify in the struts-config.xml file if an action should require a secure protocol. This feature essentially allows your application to switch actions and JSP pages from http to https.

  • Extensions of the Struts JSP tags that generate URLs that include the https protocol.

The SSLEXT distribution consists of a plug-in class for initialization (SecurePlugIn), a custom request processor (SecureRequestProcessor), and a custom action mapping class (SecureActionMapping).

If you have been using custom RequestProcessor or ActionMapping classes and you want to use SSLEXT, you will need to change these classes to extend the corresponding classes provided by SSLEXT.


For JSP pages, SSLEXT provides custom extensions of Struts tags for generating protocol-specific URLs. A custom JSP allows you to indicate if a JSP page requires https. SSLEXT depends on the Java Secure Socket Extension (JSSE). JSSE is included with JDK 1.4 or later. If you're using an older JDK, you can download JSSE from Sun's Java site. Finally, you'll need to enable SSL for your application server. For Tomcat, this can be found in the Tomcat SSL How-To documentation.

SSLEXT works by intercepting the request in its SecureRequestProcessor. If the request is directed toward an action that is marked as secure, the SecureRequestProcessor will generate a redirect. The redirect will change the protocol to https and the port to a secure port (e.g., 443 or 8443). Switching protocols sounds simple; however, a request in a Struts application usually contains request attributes, and these attributes are lost on a redirect. SSLEXT solves this problem by temporarily storing the request attributes in the session.

You can download the SSLEXT distribution from the project web site. SSLEXT doesn't include a lot of documentation, but it comes with sample applications that demonstrate its use and features. If all your requests go through Struts actions, you can apply SSLEXT without modifying any Java code or JSP pages. Here's how you would apply SSLEXT to a Struts application:

  1. Copy the sslext.jar file into your application's WEB-INF/lib folder.

  2. If you need to use the custom JSP tags, copy the sslext.tld file into the WEB-INF/lib folder.

Make the following changes to the struts-config.xml file:

  1. Add the type attribute to the action-mappings element to specify the custom secure action mapping class:

    <action-mappings type="org.apache.struts.config.SecureActionConfig">

  2. Add the controller element for the secure request processor:

    <controller processor />

  3. Add the plug-in declaration to load the SSLEXT code:

    <plug-in className="org.apache.struts.action.SecurePlugIn">     <set-property property="httpPort" value="80"/>     <set-property property="httpsPort" value="443"/>           <set-property property="enable" value="true"/>           <set-property property="addSession" value="true"/>       </plug-in>

  4. Set the secure property to TRue for any action you want to be accessed using https:

    <action    path="/reg/Main"            type="com.oreilly.strutsckbk.ch11.ssl.MainMenuAction">     <!-- Force this action to run secured -->     <set-property property="secure" value="true"/>     <forward name="success" path="/reg/main.jsp"/> </action>

  5. Set the secure property to false for any action that you only want to run under an unsecured protocol (http):

    <action    path="/Welcome"            type="com.oreilly.strutsckbk.ch11.ssl.WelcomeAction">     <!-- Force this action to run unsecured -->     <set-property property="secure" value="false"/>     <forward name="success" path="/welcome.jsp"/> </action>

If you have accessible JSP pages you want to specify as secured (or unsecured), use the SSLEXT pageScheme custom JSP tag:

<%@ taglib uri="http://www.ebuilt.com/taglib" prefix="sslext"%> <sslext:pageScheme secure="true"/>

Now rebuild and deploy the application. When you click on a link to a secured action, the protocol will switch to https and the port to the secure port (e.g., 8443 or 443). If you go to an action marked as unsecured, the protocol and port should switch back to http and the port to the standard port (e.g., 8080 or 80). If you access an action without a specified value for the secure property or the value is set to any, then the protocol won't switch when you access the action. If you're under http, the protocol will remain http; if you're under https, the protocol will remain https.

Be careful if you switch from a secured to unsecured protocol (https to http). Critical user-specific data, such as the current session ID, can be snooped by a hacker. The hacker could use this data to hijack the session and imposter the user. Here is a good rule to follow: Once you switch to https, stay in https.


You can use SSLEXT alongside container-managed security mechanisms for specifying secure transport. The container-managed security approach works well when you want to secure entire portions of your application:

<security-constraint>     <web-resource-collection>         <web-resource-name>AdminPages</web-resource-name>         <description>Administrative pages</description>         <url-pattern>/admin/*</url-pattern>     </web-resource-collection>     <auth-constraint>         <role-name>jscAdmin</role-name>     </auth-constraint>     <!-- Switch to HTTPS for the admin pages -->     <user-data-constraint>         <transport-guarantee>CONFIDENTIAL</transport-guarantee>     </user-data-constraint> </security-constraint>

You can then use SSLEXT for fine-grained control of the protocol at the action level.

See Also

Enabling an application server to support https varies. Tomcat provides a how-to for this. For Tomcat 5.0, the relevant documentation can be found at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html.

SSLEXT is hosted on SourceForge at http://sslext.sourceforge.net.

Craig McClanahan presents a good argument against switching back to http from https. His comments can be found in a struts-user mailing list thread archived at http://www.mail-archive.com/struts-user@jakarta.apache.org/msg81889.html.

Recipe 11.9 shows how you can specify the protocol in the web.xml file. This approach, presented as part of the J2EE tutorial, can be found at http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security4.html.



    Jakarta Struts Cookbook
    Jakarta Struts Cookbook
    ISBN: 059600771X
    EAN: 2147483647
    Year: 2005
    Pages: 200

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net