Struts 2 and SSL switching (part 1)
Is the Struts2 SSL switching plugin right for you?
If your application is complex you may be better of using the Spring Security module that comes as part of the Spring framework. It can also provide SSL switching facilities along side a host of other useful features. The learning curve is steep though so make sure you have plenty of time to learn.The problem
To secure a page with SSL automatically so that if any request is made to that page then it will be redirected to https. This method does not require the programmer to remember to make a URL in the form of https:// for every hyperlink.
In this example we will secure a jsp page that is mapped through Struts 2 by a wildcard mapping. It will not have a concrete action class behind it.
Concepts you need to be familiar with before continuing
- If you are unfamiliar with namespaces in Struts 2 then you should check out the Namespaces in Struts 2 tutorial;
- If you are unfamiliar with wildcard mappings in struts 2 then you should check out the Wilcard mappings in Struts 2 tutorial.
Struts 2 does not support SSL switching by default.
Surprisingly Struts 2 itself does not support SSL switching by default. Struts 1 did not do this either so my guess is that the developers of Struts do not see that as part of the job of the Struts framework. Like its predecessor though Struts 2 does have a plugin written by a third party that does allow for automatic SSL switching. It uses a custom interceptor but luckily you do not need to know how it works under the hood to make it work. The SSL library for Struts 2 can be downloaded from http://code.google.com/p/struts2-ssl-plugin/. My guess is that the SSL plugin is based on the code contributed by Colonel35 which can be found here.
If you want to see how the SSL switching works under the hood then I would suggest downloading Java Decompiler and taking a look inside.
How to do it
As the home page of the SSL plugin explains it is actually very easy to make this work but I did have some trouble learning it. Firstly, once you have downloaded the plugin then you add the jar file to your lib directory.
SSL switching without annotations
There are then two ways to secure your pages and actions and which way you choose will depend upon your needs. If you are using wildcard mappings to map an action to a page then you will need to use the:
<param name="useAnnotations">false</param>
node in your struts.xml file. Without this any wildcard mapped pages cannot be secured as you would have to use an annotation, annotations cannot be used in the struts.xml file itself and by definition of a wildcard mapping to a jsp page, there is no concrete java action associated with it.
SSL switching with annotations
The second way is to miss out the above node in the struts.xml file or set it to true. When it is done this way any action that uses the @Secured() annotation will be redirected over SSL. An example of mapping an entire Action class (i.e. every method in the class):
@Secured()
public class ActionDoSomething extends BaseActionSupport implements SessionAware {
public void myMethod1(){
}
public void myMethod2(){
}
}
In the above example both methods myMethod1() and myMethod2(), when called, will be secured by SSL as the @Secured() annotation is at the class level. If one of those methods redirects to a jsp, then that jsp will be secured. In the example below only the myMethod1() is secured by SSL as the annotation is at the method level:
public class ActionDoSomething extends BaseActionSupport implements SessionAware {
@Secured()
public void myMethod1(){
}
public void myMethod2(){
}
}
Using the SSL plugin in the above two ways allows us to secure any Struts 2 action whether or not it has a concrete action class behind it. We can also choose to secure only those methods that we want to be secure.
24.02.2009 02:26 - Posted by doahh - Comments: 1 - Java
Comments:
Hey thanks, good job buddy.
05.10.2009 11:20 - Posted by _NT - Permalink