You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Giles Parnell <Gi...@yellgroup.com> on 2004/01/22 12:59:52 UTC

Securing resources in the web-app !

Hi guys

I'm trying to secure my web app, so that only https access can occur
through it. I've started writing some code that checks the url protocol in
each action ... which i think is pretty nasty. I know i can do all of this
in the web.xml. However i don't know much about setting up realms and
groups in the web container. (??) Do i have to go all the way down that
path? I'm not too concerned about setting up the ssl (someone elses job) -
all i want to do is check for the https protocol - ie: only serve request
that have https as their protocol.

Looking on the web, suggestions like this have been made, which i've tried
- but to no avail.
 <web-resource-collection>
    <web-resource-name>A name</web-resource-name>
    <description>desc</description>
    <url-pattern>/*</url-pattern>
    <http-method>CONFIDENTIAL ** (i've also tryed HTTPS) </http-method>
  </web-resource-collection>
 </security-constraint>

Any ideas ?

Thanks in advance.
Giles




-----------------------------------------------------------------------

Yellow Pages 118 24 7 
'Whatever you want, wherever you are, 24 7'
Calls cost 40p per minute from most landlines


[Information] -- PostMaster:
This transmission is intended solely for the addressee(s) and may be confidential. If you are not the named addressee, or if the message has been addressed to you in error, you must not read, disclose, reproduce, distribute or use this transmission. 

Delivery of this message to any person other than the named addressee is not intended in any way to waive confidentiality.  If you have received this transmission in error please contact the sender or delete the message. 

Thank you.

Yell Limited, Queens Walk, Oxford Road, Reading, Berkshire, RG1 7PT. Registered in England and Wales, registered number 4205228.

Yellow Pages Sales Limited, Queens Walk, Oxford Road, Reading, Berkshire, RG1 7PT. Registered in England and Wales, registered number 1403041.

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org

Re: Securing resources in the web-app !

Posted by Kris Schneider <kr...@dotech.com>.
This is the Servlet 2.3 DTD entry for <http-method>:

<!--
The http-method contains an HTTP method (GET | POST |...).

Used in: web-resource-collection
-->
<!ELEMENT http-method (#PCDATA)>

What you're probably looking for is <transport-guarantee> (subelement of
<user-data-constraint>, which is a subelement of <security-constraint>):

<!--
The transport-guarantee element specifies that the communication
between client and server should be NONE, INTEGRAL, or
CONFIDENTIAL. NONE means that the application does not require any
transport guarantees. A value of INTEGRAL means that the application
requires that the data sent between the client and server be sent in
such a way that it can't be changed in transit. CONFIDENTIAL means
that the application requires that the data be transmitted in a
fashion that prevents other entities from observing the contents of
the transmission. In most cases, the presence of the INTEGRAL or
CONFIDENTIAL flag will indicate that the use of SSL is required.

Used in: user-data-constraint
-->
<!ELEMENT transport-guarantee (#PCDATA)>

Quoting Giles Parnell <Gi...@yellgroup.com>:

> 
> Hi guys
> 
> I'm trying to secure my web app, so that only https access can occur
> through it. I've started writing some code that checks the url protocol in
> each action ... which i think is pretty nasty. I know i can do all of this
> in the web.xml. However i don't know much about setting up realms and
> groups in the web container. (??) Do i have to go all the way down that
> path? I'm not too concerned about setting up the ssl (someone elses job) -
> all i want to do is check for the https protocol - ie: only serve request
> that have https as their protocol.
> 
> Looking on the web, suggestions like this have been made, which i've tried
> - but to no avail.
>  <web-resource-collection>
>     <web-resource-name>A name</web-resource-name>
>     <description>desc</description>
>     <url-pattern>/*</url-pattern>
>     <http-method>CONFIDENTIAL ** (i've also tryed HTTPS) </http-method>
>   </web-resource-collection>
>  </security-constraint>
> 
> Any ideas ?
> 
> Thanks in advance.
> Giles

-- 
Kris Schneider <ma...@dotech.com>
D.O.Tech       <http://www.dotech.com/>

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org