[  Summary  |  Home Page  |  Forums  |  Bugs  |  Support  |  Lists  |  News  |  CVS  |  Files  ]

Updated October 3, 2004 Please read this entire page.

Released new version "sslext for Struts 1.2, Release 0"
First release for Struts 1.2 is now available. Release 0 is a 1.2 baseline version that includes only updates for Struts 1.2 compatibility (e.g. new link tag "module" attribute). This release does not yet support char encoding attribute for link & rewrite tags.

Have also eliminated all references to the obsolete "subapp" terminology in favor of "module".

This release also places a copy of the sslext.tld file into the meta-inf/tlds directory inside the sslext.jar file for JSP 1.1/1.2 programming convenience.

Subsequent releases (Release 1, Release 2, etc.) will include features submitted and/or requested by Maciej Miechowicz and Dennis Muhlestein. If you have a feature to submit, please feel free to do so by sending me email.

Special thanks to Dennis Muhlestein for assistance and suggestions for this release.

(12/31/2003)
Released updated version "sslext for Struts 1.10 - 4"
Added SecurePlugInInterface and SecureTilesPlugin along with the necessary changes to other classes to utilize these. This fixes a reported problem with using sslext in combination with Tiles. When using sslext with Tiles, specify the SecureTilesPlugin (org.apache.struts.tiles.SecureTilesPlugIn) and the SecureTilesRequestProcessor (org.apache.struts.action.SecureTilesRequestProcessor). These changes are based on source code posted by Kim Turner referenced in the discussion forums on this site. Special thanks to Kim Turner for her contribution.  

Also added is the ability to configure the "always add Session ID to URL feature". This feature was added in a previous release to compensate for older browsers that do not automatically share sessions between the http and https protocols. If you are sure that this problem will not exist for you, you can now disable this feature through the "addSession" property of the SecurePlugIn (or SecureTilesPlugin). Thanks to all who suggested this enhancement. (Or otherwise complained about the old behavior :-).  

(9/8/2003)
Released updated version "sslext for Struts 1.10 - 3"
Fixed bug that could result in exception if mapping cannot be found for a requested action.  

(9/5/2003)
Released updated version "sslext for Struts 1.10 - 2"
New feature - recognizes multiple mappings for the Struts action servlet, including the mixing of prefix and suffix mapping.  For example, you can map *.do, *.foo, AND /do/* to the Struts action servlet.  Sslext will recognize the mapping and create the link tag, form tag, etc. with the appropriate specified protocol.

(7/19/2003)
Struts 1.10 final version released.  New features (originally added in RC2, but not announced here):

"secure" property for actions in struts config file now accepts values "true", "false" AND "any".  A value of "any" means that the action will accept http or https protocol, whichever is current.

"secure" property for pageScheme tag now accepts values "true", "false" AND "any".  A value of "any" means that the action will accept http or https protocol, whichever is current.

Also,  bug fixed:
Added "action" attribute to the TLD for link tag

New Struts 1.1 Beta3 version released.  New "enable/disable" feature available in 1.1 Beta3 version. (1/27/2003)
Bug-Fixed versions of 1.0, 1.1Beta1, and 1.1Beta2 versions released (1/27/2003)

Servlet 2.2 compliance enforced, now compatible for both Servlet 2.2 and 2.3 (10/30/2002)

Struts-folk, please read: 

In the course of our work, we have had numerous projects where it was necessary to switch between using the http & https protocols on a page by page basis. We had a solution which we used in a traditional MVC framework with servlets and JSP. We have since switched over to using Struts in all of our projects. Reworking our solution within Struts has improved our solution dramatically.

We had noticed that other Struts users had been asking about enabling this type of protocol switching. We thought that you might find enough value in what we have done to include our solution as an extension to Struts.

The following describes what we have done:

We added a "secure" property to the action tag in the struts-config.xml file. A value of true for this property will specify that the request to the action should be transmitted via SSL (https). We defined a class SecureActionMapping (SecureActionConfig for Struts 1.1) that extends the ActionMapping class and includes the new "secure" property.

In the Struts 1.0 version, we added two more initialization parameters for SecureActionServlet (our extension to ActionServlet). These parameters, http-port and https-port, specify the ports being used by the web application for http and https protocols. These default to 80 & 443, respectively.  For Struts 1.1, there is no SecureActionServlet. This initialization is handled as a Plugin.

Also in the Struts 1.0 version, we added code to SecureActionServlet which will redirect the action if the protocol in the request (http or https) for some reason does not match that specified by the value of the "secure" property. The redirect URL will include the correct protocol and port number. One possible reason for the protocols not matching would be the manual entry of a URL into a browser client with the wrong protocol specified.  In the Struts 1.1 version, this is handled by SecureRequestProcessor, which is our extension of the default RequestProcessor class. 

We created SecureLinkTag as an extension to LinkTag . The added capability to this tag is that it checks the action mappings for the "secure" property of actions that are specified in the link. If the secure property is true and the current page was transmitted using http, the SecureLinkTag creates a link specifying the https protocol and https port for the web application. Similarly, for pages transmitted using https that have http links, the http protocol and port will be generated by the link tag. If the protocol for the current page matches that of the link specified, a relative link is created in the page. For good measure, we also added a SecureWriteTag, which behaves similarly. We have extended FormTag with SecureFormTag in the same way. Other tags which could have similar changes change are ImageTag and ImgTag.  (I promise we will get to these eventually.)

We created a new tag which we call PageSchemeTag. This allows developers to specify transmission protocol at the page level. While good design would seem to require switching protocols only at the action level, this tag comes in handy for pages like the login page, especially using container managed security. As with the actions, this tag will cause a redirect if the request protocol does not match the protocol specified by the secure attribute.

We also added some utility methods in our SecureRequestUtils class.

Also included in each version is a small demo application of the extension:
NullAction is the action class that is used in the definition of all four actions in the struts-config.xml file. It places a string in the request to be forwarded and displayed in a JSP. The other four actions are:
true - an action with the "secure" attribute set to TRUE which forwards to true.jsp, a page which does not specify a security parameter.
false- an action with the "secure" attribute set to FALSE which forwards to false.jsp, a page which does not specify a security parameter.
truetag - an action with the "secure" attribute set to FALSE which forwards to truetag.jsp, a page which includes the pageScheme tag to specify a "secure" attribute of TRUE.
falsetag - an action with the "secure" attribute set to TRUE which forwards to falsetag.jsp, a page which includes the pageScheme tag to specify a "secure" attribute of FALSE.


There are also a pair (1 specifying secure as TRUE and one as FALSE) of form submit actions.

The Struts 1.1 version of the extension includes a main application and a subapp, each with these same actions outlined above along with  these two additional actions:
any- an action with the "secure" attribute set to ANY which forwards to any.jsp, a page which does not specify a security parameter.
anytag - an action with the "secure" attribute set to ANY which forwards to falsetag.jsp, a page which includes the pageScheme tag to specify a "secure" attribute of ANY.


Each JSP includes links to the other actions. The SecureLinkTag is used to create these links. Note that the URL generated for each of these links will include any change of protocol and port that is required.

We offer this to developers as an extension to Struts, but think that ideally our solution would be incorporated into the Struts core.

Please give it a try and let us know what you think.  Download the distribution.  Look at the example apps, especially the config files.

A caveat: When a redirect takes place, request attributes are temporarily stored in the session. If you are working in a clustered environment, this means that your request attributes must be serializable.  (Note that the "automatic redirect" feature cacn be turned off in the Struts 1.10 version.  This feature should only be needed when a user directly enters a URL using the wrong protocol.  Non-secure access to secure pages can and should also be blocked through the web container.  )

Please feel free to ask us any questions or give us any comments or suggestions that you may have about this solution.

Note: We can't redistribute jsse.jar, jnet.jar or jcert.jar, so you'll have to get your own from Sun at the JSSE 1.0.2 page.

Also: If you are using Tomcat, please follow the directions on the Tomcat SSL page to set up SSL for Tomcat.