SSL with Struts 1.3

1. SSLExt Command

The aim of this page is to describe how to use the sslext extension HTTP/HTTPS switching with Struts 1.3

The sslext Struts extension for HTTP/HTTPS switching hasn't been updated for the new Struts 1.3 ComposableRequestProcessor. In order to use SSLEXT with Struts 1.3 you need two things:

A replacement Command for SSLEXT's SecureRequestProcessor / SecureTilesRequestProcessor
chain-config.cml to configure the ComposableRequestProcessor to use the new command

The following is an example of what such a Command implementation might look like:

public class SSLExtCommand extends ActionCommandBase {

    public boolean execute(ActionContext actionContext) throws Exception {

        ActionConfig mapping = actionContext.getActionConfig();
        if (!(mapping instanceof SecureActionConfig)) {
            return false; // continue processing
        }

        // Cast to ServletActionContext
        ServletActionContext sacontext = (ServletActionContext)actionContext;
        ServletContext      context  = sacontext.getContext();
        HttpServletRequest  request  = sacontext.getRequest();
        HttpServletResponse response = sacontext.getResponse();

        // Check if the SecurePlugIn is configured
        SecurePlugInInterface securePlugin = 
            (SecurePlugInInterface)context.getAttribute(SecurePlugInInterface.SECURE_PLUGIN);
        if (securePlugin == null) {
            return false; // continue processing
        }

        if (SecureRequestUtils.checkSsl((SecureActionConfig)mapping, context, request, response)) {
            return true; // DON'T continue (request is being re-directed)
        } else {
            return false; // continue processing
        }
    }
}

...and the chain cofiguration for the Composable RequestProcessor (hooks in using the servlet-standard-preprocess point):


    <catalog name="struts">
        <chain name="servlet-standard-preprocess">
            <command className="org.apache.struts.chain.commands.servlet.SelectAction"/>
            <command className="org.nkp.struts13.sslext.SSLExtCommand"/>
        </chain>
    </catalog>

Download the struts13-sslext-command-1.0.jar to get both (Apache 2.0 licensed - includes source code).

2. Configuring SSLEXT

2.1 Configure the SSLExtCommand

Configure the ComposableRequestProcessor to use the SSLExtCommand by adding a chainConfig element to the web.xml - specifying the standard (or tiles) chain-config.xml shipped with Struts, plus the additional configuration for the SSLExtCommand.

       <init-param>
           <param-name>chainConfig</param-name>
           <param-value>org/apache/struts/chain/chain-config.xml,
                        org/nkp/struts13/sslext/sslext-chain-config.xml
           </param-value>
       </init-param>

The sslext-chain-config.xml hooks into the pre-processor chain and duplicates the SelectAction command as it requires the ActionMapping to have been resolved in order for it to work.

Note: One difference between Struts 1.3 Composable RequestProcessor and Struts 1.2 is that the commands are NOT on a per module basis (unlike the Struts 1.2 RequestProcessor). In Struts 1.2 SSL support could have switched off for a module by not configuring the appropriate secure RequestProcessor - this is not the case for Struts 1.3. SSLExt doesn't actually support Struts modules properly, since the SecurePlugIn isn't module aware and takes effect for the whole application, whatever module's struts-config.xml it is configured in.

2.2 Configure Struts to use the SecureActionConfig

SSLExt's SecureActionConfig adds an additional secure property to Struts's ActionMapping and you have to configure Struts to use this implementation rather than the default. You can do this in one of two ways:

2.2.1 Through the action-mappings in struts-config.xml

You can specify the action mapping implementation to use via the type attribute of the <action-mappings> element:

       <action-mappings type="org.apache.struts.config.SecureActionConfig">
           ...
       </action-mappings>

If you use modules in struts you will need to do this for each module you want to use SSL in.

2.2.2 Using a custom ModuleConfigFactory

You can set the default action mapping implementation for the whole struts webapp by using a custom ModuleConfigFactory. The struts13-sslext-command-1.0.jar contains SSLExtModuleConfigFactory which does this and can be configured by adding a configFactory element to the web.xml:

       <init-param>
           <param-name>configFactory</param-name>
           <param-value>org.nkp.struts13.sslext.SSLExtModuleConfigFactory</param-value>
       </init-param>

2.3 Configure the SecurePlugIn

You need to configure the SecurePlugIn once (in any module) in the struts-config.xml appropriately. For example:

       <plug-in className="org.apache.struts.action.SecurePlugIn">
           <set-property property="httpPort" value="8080"/>
           <set-property property="httpsPort" value="8443"/>
           <set-property property="enable" value="true"/>
           <set-property property="addSession" value="true"/>
       </plug-in>

2.4 Configuring your Actions

The secure attribute in SecureActionConfig can have three values - true, false and any (default is any). You can configure an action mapping's secure setting using a <set-property> element:

       <action  path="/foo" type="...">
           <set-property property="secure" value="true"/>
           <forward name="bar" path="/bar.jsp"/>
       </action>

2.5 Final Stuff

You need to deploy version 1.2 of SSLExt's jar along with the struts13-sslext-command-1.0.jar.

You will also need to configure your servlet container for SSL requests - for example instructions on how to configure Tomcat 5 are here.