Tuesday, October 20, 2009

Recipe 11.11. Configuring Actions to Require SSL










Recipe 11.11. Configuring Actions to Require SSL




Problem



You want to control if HTTPS is required on a page-by-page basis.





Solution



Use the SSLEXT Struts extension.





Discussion



The Struts SSL Extension (SSLEXT), an open source Struts plug-in,
enables you to indicate if an action requires the secure
(https) protocol. Steve Ditlinger created and
maintains this project (with others), hosted at
http://sslext.sourceforge.net.



SSLEXT enables fine-grained secure protocol control by
providing:



  • The ability to specify in the struts-config.xml file
    if an action should require a secure protocol.
    This feature essentially allows your application to switch actions
    and JSP pages from http to
    https.

  • Extensions of the Struts JSP tags that generate URLs that include the
    https protocol.


The SSLEXT distribution consists of a plug-in class for
initialization (SecurePlugIn), a custom request
processor (SecureRequestProcessor), and a custom
action mapping class (SecureActionMapping).





If you have been using custom RequestProcessor or
ActionMapping classes and you want to use SSLEXT,
you will need to change these classes to extend the corresponding
classes provided by SSLEXT.





For JSP pages, SSLEXT provides custom extensions of Struts tags for
generating protocol-specific URLs. A custom JSP allows you to
indicate if a JSP page requires https. SSLEXT
depends on the Java Secure Socket Extension (JSSE). JSSE is included
with JDK 1.4 or later. If you're using an older JDK,
you can download JSSE from Sun's Java site. Finally,
you'll need to enable SSL for your application
server. For Tomcat, this can be found in the Tomcat SSL
How-To documentation.



SSLEXT works by intercepting the request in its
SecureRequestProcessor. If the request is directed
toward an action that is marked as secure, the
SecureRequestProcessor will generate a redirect.
The redirect will change the protocol to https and
the port to a secure port (e.g., 443 or 8443). Switching protocols
sounds simple; however, a request in a Struts application usually
contains request attributes, and these attributes are lost on a
redirect. SSLEXT solves this problem by temporarily storing the
request attributes in the session.



You can download the SSLEXT distribution from the project web site.
SSLEXT doesn't include a lot of documentation, but
it comes with sample applications that demonstrate its use and
features. If all your requests go through Struts actions, you can
apply SSLEXT without modifying any Java code or JSP pages.
Here's how you would apply SSLEXT to a Struts
application:



  1. Copy the sslext.jar file into your
    application's WEB-INF/lib
    folder.

  2. If you need to use the custom JSP tags, copy the sslext.tld
    file into the WEB-INF/lib folder.


Make the following changes to the
struts-config.xml file:



  1. Add the type attribute to the
    action-mappings element to specify the custom
    secure action mapping class:

    <action-mappings type="org.apache.struts.config.SecureActionConfig">


  2. Add the controller element for the secure request
    processor:

    <controller processorClass="org.apache.struts.action.SecureRequestProcessor" />


  3. Add the plug-in declaration to load the SSLEXT
    code:

    <plug-in className="org.apache.struts.action.SecurePlugIn">
        <set-property property="httpPort" value="80"/>
        <set-property property="httpsPort" value="443"/>      
        <set-property property="enable" value="true"/>      
        <set-property property="addSession" value="true"/>      
    </plug-in>


  4. Set the secure property to TRue
    for any action you want to be accessed using
    https:

    <action    path="/reg/Main"
               type="com.oreilly.strutsckbk.ch11.ssl.MainMenuAction">
        <!-- Force this action to run secured -->
        <set-property property="secure" value="true"/>
        <forward name="success" path="/reg/main.jsp"/>
    </action>


  5. Set the secure property to
    false for any action that you
    only want to run under an unsecured protocol
    (http):

    <action    path="/Welcome"
               type="com.oreilly.strutsckbk.ch11.ssl.WelcomeAction">
        <!-- Force this action to run unsecured -->
        <set-property property="secure" value="false"/>
        <forward name="success" path="/welcome.jsp"/>
    </action>



If you have accessible JSP pages you want to specify as secured (or
unsecured), use the SSLEXT pageScheme custom JSP
tag:



<%@ taglib uri="http://www.ebuilt.com/taglib" prefix="sslext"%>
<sslext:pageScheme secure="true"/>




Now rebuild and deploy the application. When you click on a link to a
secured action, the protocol will switch to
https and the port to the
secure port (e.g., 8443 or
443). If you go to an action
marked as unsecured, the protocol and port should switch back to
http and the port to the standard port (e.g.,
8080 or
80). If you access an action without a specified
value for the secure property or the value is set to
any, then the protocol won't
switch when you access the action. If you're under
http, the protocol will remain
http; if you're under
https, the protocol will remain
https.





Be careful if you switch from a secured to unsecured protocol (https
to http). Critical user-specific data, such as the current session
ID, can be snooped by a hacker. The hacker could use this data to
hijack the session and imposter the user. Here is a good rule to
follow: Once you switch to https, stay in https.





You can use SSLEXT alongside container-managed
security mechanisms for specifying secure transport. The
container-managed security approach works well when you want to
secure entire portions of your application:



<security-constraint>
    <web-resource-collection>
        <web-resource-name>AdminPages</web-resource-name>
        <description>Administrative pages</description>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>jscAdmin</role-name>
    </auth-constraint>
    <!-- Switch to HTTPS for the admin pages -->
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>




You can then use SSLEXT for fine-grained control of the protocol at
the action level.





See Also



Enabling an application server to support https
varies. Tomcat provides a how-to for this. For Tomcat 5.0, the
relevant documentation can be found at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html.



SSLEXT is hosted on SourceForge at http://sslext.sourceforge.net.



Craig McClanahan presents a good argument against switching back to
http from https. His comments
can be found in a struts-user mailing list
thread archived at http://www.mail-archive.com/struts-user@jakarta.apache.org/msg81889.html.



Recipe 11.9 shows how you can specify the
protocol in the web.xml file. This approach,
presented as part of the J2EE tutorial, can be found at http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security4.html.












    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)