You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Mathew Ring <mr...@transolutions.net> on 2004/03/17 20:49:02 UTC
Is it possible to secure Struts Apps w/ transport-guarantee in web.xml?
My attempts to do this so far in Tomcat 5.x have failed (in my opinion),
resulting in very poor performance and broken images. SSLExt is a good
altenative, but I'm wondering why I have to go to this length.
At this point, I am going to say that this *seems* like a Struts problem and
not a Tomcat problem, as it works fine with the Tomcat Manager App (a simple
servlet App) but not with the Tomcat Admin App (a Struts App).
I'll elaborate on my above example:
Assumptions:
1) you've configured SSL in Tomcat, which is very easy
2) you've configured appropriate admin and manager users and roles in the
tomcat-users.xml file
Procedure:
1) Edit the CATALINA_HOME/server/webapps/manager/WEB-INF/web.xml file as
follows:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTMLManger and Manager command</web-resource-name>
<url-pattern>/jmxproxy/*</url-pattern>
<url-pattern>/html/*</url-pattern>
<url-pattern>/list</url-pattern>
<url-pattern>/sessions</url-pattern>
<url-pattern>/start</url-pattern>
<url-pattern>/stop</url-pattern>
<url-pattern>/install</url-pattern>
<url-pattern>/remove</url-pattern>
<url-pattern>/deploy</url-pattern>
<url-pattern>/undeploy</url-pattern>
<url-pattern>/reload</url-pattern>
<url-pattern>/save</url-pattern>
<url-pattern>/serverinfo</url-pattern>
<url-pattern>/status/*</url-pattern>
<url-pattern>/roles</url-pattern>
<url-pattern>/resources</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
<!-- EDIT START -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<!-- EDIT END -->
</security-constraint>
2) Edit the CATALINA_HOME/server/webapps/admin/WEB-INF/web.xml file as
follows:
<!-- Security is active on entire directory -->
<security-constraint>
<display-name>Tomcat Server Configuration Security
Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.do</url-pattern>
<url-pattern>*.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>admin</role-name>
</auth-constraint>
<!-- EDIT START -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<!-- EDIT END -->
</security-constraint>
3) Restart Tomcat
4) Open a browser to http://localhost:8080/manager/html (or whatever URL is
appropriate for you). It should work fine after 'redirecting' to a https
version of the URL.
5) Shut down your browser.
6) Open a browser to http://localhost:8080/admin (or whatever URL is
appropriate for you). It should 'redirect' to a https version of the URL and
then will *very slowly* load the admin App, with broken images.
Anyway, this seems to me like it may be a Struts problem, but maybe someone
here knows differently.
Thanks a lot!
Matthew S. Ring
Transolutions, Inc.
(847) 574-2129