|
Recipe 11.11. Configuring Actions to Require SSLProblemYou want to control if HTTPS is required on a page-by-page basis. SolutionUse the SSLEXT Struts extension. DiscussionThe Struts SSL Extension (SSLEXT), an open source Struts plug-in, enables you to indicate if an action requires the secure (https) protocol. Steve Ditlinger created and maintains this project (with others), hosted at http://sslext.sourceforge.net. SSLEXT enables fine-grained secure protocol control by providing:
The SSLEXT distribution consists of a plug-in class for initialization (SecurePlugIn), a custom request processor (SecureRequestProcessor), and a custom action mapping class (SecureActionMapping).
For JSP pages, SSLEXT provides custom extensions of Struts tags for generating protocol-specific URLs. A custom JSP allows you to indicate if a JSP page requires https. SSLEXT depends on the Java Secure Socket Extension (JSSE). JSSE is included with JDK 1.4 or later. If you're using an older JDK, you can download JSSE from Sun's Java site. Finally, you'll need to enable SSL for your application server. For Tomcat, this can be found in the Tomcat SSL How-To documentation. SSLEXT works by intercepting the request in its SecureRequestProcessor. If the request is directed toward an action that is marked as secure, the SecureRequestProcessor will generate a redirect. The redirect will change the protocol to https and the port to a secure port (e.g., 443 or 8443). Switching protocols sounds simple; however, a request in a Struts application usually contains request attributes, and these attributes are lost on a redirect. SSLEXT solves this problem by temporarily storing the request attributes in the session. You can download the SSLEXT distribution from the project web site. SSLEXT doesn't include a lot of documentation, but it comes with sample applications that demonstrate its use and features. If all your requests go through Struts actions, you can apply SSLEXT without modifying any Java code or JSP pages. Here's how you would apply SSLEXT to a Struts application:
Make the following changes to the struts-config.xml file:
If you have accessible JSP pages you want to specify as secured (or unsecured), use the SSLEXT pageScheme custom JSP tag: <%@ taglib uri="http://www.ebuilt.com/taglib" prefix="sslext"%> <sslext:pageScheme secure="true"/> Now rebuild and deploy the application. When you click on a link to a secured action, the protocol will switch to https and the port to the secure port (e.g., 8443 or 443). If you go to an action marked as unsecured, the protocol and port should switch back to http and the port to the standard port (e.g., 8080 or 80). If you access an action without a specified value for the secure property or the value is set to any, then the protocol won't switch when you access the action. If you're under http, the protocol will remain http; if you're under https, the protocol will remain https.
You can use SSLEXT alongside container-managed security mechanisms for specifying secure transport. The container-managed security approach works well when you want to secure entire portions of your application: <security-constraint> <web-resource-collection> <web-resource-name>AdminPages</web-resource-name> <description>Administrative pages</description> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>jscAdmin</role-name> </auth-constraint> <!-- Switch to HTTPS for the admin pages --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> You can then use SSLEXT for fine-grained control of the protocol at the action level. See AlsoEnabling an application server to support https varies. Tomcat provides a how-to for this. For Tomcat 5.0, the relevant documentation can be found at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html. SSLEXT is hosted on SourceForge at http://sslext.sourceforge.net. Craig McClanahan presents a good argument against switching back to http from https. His comments can be found in a struts-user mailing list thread archived at http://www.mail-archive.com/struts-user@jakarta.apache.org/msg81889.html. Recipe 11.9 shows how you can specify the protocol in the web.xml file. This approach, presented as part of the J2EE tutorial, can be found at http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security4.html. |
|