Rick,
Thank you for your response.
I would like to refer to the Stripes_SSL.zip package that I was basing my
setup for using SSL with Stripes.
I wonder if anyone has implemented the instructions in teh README file. I
am attaching it along so that you can throw some light
on it.
Appreciate your help.
Thank You and Regards,
Andy
On Sat, Oct 24, 2015 at 4:12 PM, Rick Grashel <rgras...@gmail.com> wrote:
> Hi Andy,
>
> This isn't really a Stripes question as much as it is a setup question for
> securing a Java web application on Tomcat. If you want your Java web
> application to be secured through SSL, you can apply a simple directive in
> your web.xml file. Here is a small example web.xml which will ensure that
> your entire application goes through SSL.
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"; xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="
> http://xmlns.jcp.org/xml/ns/javaee
> http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"; version="3.1">
>
> ... various web.xml entries ...
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>secure-area</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> </web-app>
>
> For information on how to force only certain parts of your application
> though SSL, just do a Google search for "web.xml security-constraint ssl".
> You'll find a lot of great information out there.
>
> Hope that helps!
>
> -- Rick
>
> On Sat, Oct 24, 2015 at 1:54 PM, Andy Patil <andybpa...@gmail.com> wrote:
>
>> Hi,
>>
>> I am trying to implement SSL for Login screen for an application. I am
>> using Stripes 1.6 with Tomcat 8.0 on Centos 6.5.
>>
>> I have tried to include the Stripes configuration entries as published in
>> the README.txt file from the Stripes-SSL-v5.zip.
>>
>> Unfortunately Tomcat will not start with those entries. I am sure I need
>> some other software to be installed. Is there another jar I am missing?
>> Where does the stripes.tld get installed?
>>
>> I do not see net.sourceforge.stripes.util.UrlParser and
>> net.sourceforge.stripes.util.HttpUrlInfo classes mentioned in the
>> README.txt file, in stripes-1.6.0.jar.
>>
>> I need help with:
>>
>>
>> 1. Configuring stripes SSL in Tomcat 8.0
>> 2. What additional SSL software needs to be insatalled.
>>
>> Any help is greatly appreciated.
>> Thank You and Regards,
>>
>> Andy
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Stripes-users mailing list
>> Stripes-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/stripes-users
>>
>>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Stripes-users mailing list
> Stripes-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>
>
SSL Modification
================
Changes:
- Added new Annotation class "net.sourceforge.stripes.action.Secure"
- Added new Method "encodeUrl(String url)" to StripesTagSupport
- Added new classes in util:
- net.sourceforge.stripes.util.UrlParser
- net.sourceforge.stripes.util.HttpUrlInfo
- Added new package util/ssl
- Modified the Configuration and DefaultConfiguration classes
- Modified the RedirectResolution class in order to correctly switch SSL during
redirects as well
- Removed obsolete HttpServletResponse from the import statements in
- LinkTagSupport
- FormTag
- refactored buildUrl method in LinkTagSupport and moved contextPath-handling
to the new encodeUrl() method in StripesTagSupport
Usage:
- Configure SSL Host/port and Non SSL Host/Port within your web.xml:
<init-param>
<param-name>SSL.Enabled</param-name>
<param-value>true</param-name>
</init-param>
<init-param>
<param-name>SSL.SecureHost</param-name>
<param-value>localhost:8443</param-name>
</init-param>
<init-param>
<param-name>SSL.UnsecureHost</param-name>
<param-value>localhost:8080</param-name>
</init-param>
<init-param>
<param-name>SSL.SessionMode</param-name>
<param-value>never | always | auto</param-name>
</init-param>
If secure and unsecure host are the same and the default ports are used
(80/443), neither SSL.SecureHost nor
SSL.UnsecureHost need to be specified.
In order to disable SSL all together the SSL.Enabled property can be
specified with a value of "false"
SessionMode specifies, how session ids will be handled:
- never => when the URL is rewritten, any jsessionid present will be
stripped from the URL
even if the container relies on url rewriting to keep track of
sessions.
This will lead to too separate sessions one for the secure requests
and one for insecure requests.
never is the default sessionMode since it is the most secure one.
- always => the session id will always be added to the url even if the
container uses Cookies to
keep track of sessions. This effectivly will lead to the same session
being shared for secure and
unsecure pages. While this is the most convenient way it is also
insecure since the sessions can
be hijacked
- auto => if a session id is present in the original url it will be
kept.
- It is also possible to configure SSL settings via a custom class. To do this,
one has to specify the custom
configuration class:
<init-param>
<param-name>SslConfiguration.Class</param-name>
<param-value>full.qualified.className.here</param-value>
</init-param>
- Mark your ActionBeans that should be SSL protected with the new @Secure
Annotation.
That's it. The Stripes link, url and form tag will check the destination
ActionBean on its Secure-state.
If the target ActionBean is marked as Secure and the current url is not secure,
the url will be rewritten automatically.
the same applies for links to non-secure ActionBeans references from secure
pages.
! All modifications are marked with comments "BEGIN SSL MOD"/"END SSL MOD" !
Optionally exclude special parameters on link/url tag:
======================================================
Changes:
- Added new attribute to LinkTagSupport "excludeSpecialParams"
- Added new attribute to the stripes.tld as well for link and url tag
- modified the buildUrl() method in LinkTagSupport to check the new attribute
Usage:
In order to prevent stripes from adding the source page parameter, add <s:link
... excludeSpecialParams="true" /> to your tag
! All modifications are marked with comments "BEGIN SOURCE PAGE MOD"/"END
SOURCE PAGE MOD" !
------------------------------------------------------------------------------
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
