Securing Struts Applications - SSLEXT to the Rescue

(Page 8 of 8 )

The SSL Extension to Struts (SSLEXT) is an open-source plug-in for Struts. This software was created and is maintained by Steve Ditlinger (and others). It is hosted at SourceForge, http://sslext.sourceforge.net. It is the recommended approach for integrating Struts with SSL processing. Its features include:

• The ability to declaratively specify in the Struts configuration file whether or not an action mapping should be secure. This feature allows your application to switch protocols between actions and JSP pages.
• Extensions of the Struts JSP tags that can generate URLs that use the https protocol.

SSLEXT consists of a plug-in class for initialization, a custom extension to the Struts RequestProcessor, and a custom extension of the Struts ActionMapping. In addition, custom JSP tags, which extend the Struts tags, are provided for protocol-specific URL generation. SSLEXT also includes an additional JSP tag that lets you specify whether an entire JSP page is secure. SSLEXT depends on the Java Secure Socket Extension (JSSE), which is included with JDK 1.4 and later. Finally, you need to enable SSL for your application server. For Tomcat, this can be found in the Tomcat SSL How-To documentation.

SSLEXT works by intercepting the request in its SecureRequestProcessor. If the request is directed toward an action that is marked as secure, the SecureRequestProcessor generates a redirect. The redirect changes the protocol to https and the port to a secure port (e.g., 443 or 8443). This sounds simple enough; however, a request in a Struts application usually contains request attributes. These attributes are lost on a redirect. SSLEXT solves this problem by temporarily storing the request attributes in the session.

SSLEXT does not include a lot of documentation but it comes with a sample application that demonstrates its use and features. To try SSLEXT, you can modify Mini HR to use it by changing the login behavior so that the LoginAction occurs over HTTPS. Once logged in, the protocol should be switched back to HTTP. Take the following steps to set up SSLEXT for the Mini HR application:

1. Copy the sslext.jar file into the MiniHR19\WEB-INF\lib folder.
2. Copy the sslext.tld file into the MiniHR19\WEB-INF\tlds folder.
3. Add a taglib declaration in the web.xml for the sslext tag library as follows:

        <taglib>
          <taglib-uri>/WEB-INF/tlds/sslext.tld</taglib-uri>
          <taglib-location>/WEB-INF/tlds/sslext.tld</taglib-
        location>
        </taglib>

Now, make the following changes to the struts-config.xml file:

1. Add the type attribute to the action-mappings element to specify the custom secure action mapping class as follows:
   
   <action-mappings type="org.apache.struts.config.SecureActionConfig">
   
2. Add the controllerelement configured to use the SecureRequestProcessor. If you are already using a custom request processor, change it to extend the SecureRequestProcessor.
   
   <controller        
    processorClass="org.apache.struts.action.
   SecureRequestProcessor"/>
   
3. Add the plug-indeclaration to load the SSLEXT code:
   
   <plug-in  
   className="org.apache.struts.action.SecurePlugIn">
     <set-property property="httpPort" value="8080"/>
     <set-property property="httpsPort" value="8443"/>
     <set-property property="enable" value="true"/>
     <set-property property="addSession" value="true"/>
   </plug-in>
   
4. Set the secureproperty to true for the login action mapping by adding the following element
   
   <set-property property="secure" value="true"/>
   
5. Finally, you need to configure the index.jsppage to always run on http, not https. Otherwise, after you log in, the protocol will remain on https. Add the following taglib directive and custom tag to the index.jsp page (after the existing taglib directives):
   
   

   <%@ taglib uri="/WEB-INF/tlds/sslext.tld" prefix="sslext"%>
   <sslext:pageScheme secure="false"/>

   This tag is only needed for those JSP pages that are not accessed through your actions.

Now all you need to do is rebuild and redeploy the application. When you click the login link, the protocol will switch to https and the port will switch to 8443. After you log in, you should be redirected back to the index.jsp page and the protocol and port should switch back to http and 8080.You should experiment with using the <sslext:link> tag to create links to secure actions. You will find that using SSLEXT is much easier than using the user-data-constraint subelement of the web.xml file. It gives you fine-grained control where you need it through the tags. At the same time, it leverages the struts-config.xml file to enable simple declarative configuration for secure request processing.

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

Comments On: Securing Struts Applications

· Very good article. Concepts are explained in very detail.    · i found this article very helpful ...........what should i write in the User class...    · The concepts described in the article all act on the assumption to declare the...   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter 19 of the book The Complete Reference: Struts, written by James Holmes (McGraw-Hill/Osborne, 2004; ISBN: 0072231319 ). Check it out at your favorite bookstore. Buy this book now.