* The ability to declaratively specify in the Struts configuration file whether or not an action mapping should be secure. This feature allows your application to switch protocols between actions and JSP pages.
* Extensions of the Struts JSP tags that can generate URLs that use the https protocol.
SSLEXT consists of a plug-in class for initialization, a custom extension to the Struts RequestProcessor, and a custom extension of the Struts ActionMapping. In addition, custom JSP tags, which extend the Struts tags, are provided for protocol-specific URL generation. SSLEXT also includes an additional JSP tag that lets you specify whether an entire JSP page is secure. SSLEXT depends on the Java Secure Socket Extension (JSSE), which is included with JDK 1.4 and later. Finally, you need to enable SSL for your application server. For Tomcat, this can be found in the Tomcat SSL How-To documentation.
SSLEXT works by intercepting the request in its SecureRequestProcessor. If the request is directed toward an action that is marked as secure, the SecureRequestProcessor generates a redirect. The redirect changes the protocol to https and the port to a secure port (e.g., 443 or 8443). This sounds simple enough; however, a request in a Struts application usually contains request attributes. These attributes are lost on a redirect. SSLEXT solves this problem by temporarily storing the request attributes in the session.
SSLEXT does not include a lot of documentation but it comes with a sample application that demonstrates its use and features. To try SSLEXT, you can modify Mini HR to use it by changing the login behavior so that the LoginAction occurs over HTTPS. Once logged in, the protocol should be switched back to HTTP. Take the following steps to set up SSLEXT for the Mini HR application:
1. Copy the sslext.jar file into the MiniHR19\WEB-INF\lib folder.
2. Copy the sslext.tld file into the MiniHR19\WEB-INF\tlds folder.
3. Add a taglib declaration in the web.xml for the sslext tag library as follows:
Now, make the following changes to the struts-config.xml file:
1. Add the type attribute to the action-mappings element to specify the custom secure action mapping class as follows:
2. Add the controllerelement configured to use the SecureRequestProcessor. If you are already using a custom request processor, change it to extend the SecureRequestProcessor.
SecureRequestProcessor"/>
3. Add the plug-indeclaration to load the SSLEXT code:
4. Set the secureproperty to true for the login action mapping by adding the following element
5. Finally, you need to configure the index.jsppage to always run on http, not https. Otherwise, after you log in, the protocol will remain on https. Add the following taglib directive and custom tag to the index.jsp page (after the existing taglib directives):
<%@ taglib uri="/WEB-INF/tlds/sslext.tld" prefix="sslext"%>
This tag is only needed for those JSP pages that are not accessed through your actions.
Now all you need to do is rebuild and redeploy the application. When you click the login link, the protocol will switch to https and the port will switch to 8443. After you log in, you should be redirected back to the index.jsp page and the protocol and port should switch back to http and 8080.You should experiment with using the
No comments:
Post a Comment