Rick, Thank you for your response.
I would like to refer to the Stripes_SSL.zip package that I was basing my setup for using SSL with Stripes. I wonder if anyone has implemented the instructions in teh README file. I am attaching it along so that you can throw some light on it. Appreciate your help. Thank You and Regards, Andy On Sat, Oct 24, 2015 at 4:12 PM, Rick Grashel <rgras...@gmail.com> wrote: > Hi Andy, > > This isn't really a Stripes question as much as it is a setup question for > securing a Java web application on Tomcat. If you want your Java web > application to be secured through SSL, you can apply a simple directive in > your web.xml file. Here is a small example web.xml which will ensure that > your entire application goes through SSL. > > <?xml version="1.0" encoding="UTF-8"?> > > <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" > http://xmlns.jcp.org/xml/ns/javaee > http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1"> > > ... various web.xml entries ... > > <security-constraint> > <web-resource-collection> > <web-resource-name>secure-area</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > </web-app> > > For information on how to force only certain parts of your application > though SSL, just do a Google search for "web.xml security-constraint ssl". > You'll find a lot of great information out there. > > Hope that helps! > > -- Rick > > On Sat, Oct 24, 2015 at 1:54 PM, Andy Patil <andybpa...@gmail.com> wrote: > >> Hi, >> >> I am trying to implement SSL for Login screen for an application. I am >> using Stripes 1.6 with Tomcat 8.0 on Centos 6.5. >> >> I have tried to include the Stripes configuration entries as published in >> the README.txt file from the Stripes-SSL-v5.zip. >> >> Unfortunately Tomcat will not start with those entries. I am sure I need >> some other software to be installed. Is there another jar I am missing? >> Where does the stripes.tld get installed? >> >> I do not see net.sourceforge.stripes.util.UrlParser and >> net.sourceforge.stripes.util.HttpUrlInfo classes mentioned in the >> README.txt file, in stripes-1.6.0.jar. >> >> I need help with: >> >> >> 1. Configuring stripes SSL in Tomcat 8.0 >> 2. What additional SSL software needs to be insatalled. >> >> Any help is greatly appreciated. >> Thank You and Regards, >> >> Andy >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Stripes-users mailing list >> Stripes-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/stripes-users >> >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Stripes-users mailing list > Stripes-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/stripes-users > >
SSL Modification ================ Changes: - Added new Annotation class "net.sourceforge.stripes.action.Secure" - Added new Method "encodeUrl(String url)" to StripesTagSupport - Added new classes in util: - net.sourceforge.stripes.util.UrlParser - net.sourceforge.stripes.util.HttpUrlInfo - Added new package util/ssl - Modified the Configuration and DefaultConfiguration classes - Modified the RedirectResolution class in order to correctly switch SSL during redirects as well - Removed obsolete HttpServletResponse from the import statements in - LinkTagSupport - FormTag - refactored buildUrl method in LinkTagSupport and moved contextPath-handling to the new encodeUrl() method in StripesTagSupport Usage: - Configure SSL Host/port and Non SSL Host/Port within your web.xml: <init-param> <param-name>SSL.Enabled</param-name> <param-value>true</param-name> </init-param> <init-param> <param-name>SSL.SecureHost</param-name> <param-value>localhost:8443</param-name> </init-param> <init-param> <param-name>SSL.UnsecureHost</param-name> <param-value>localhost:8080</param-name> </init-param> <init-param> <param-name>SSL.SessionMode</param-name> <param-value>never | always | auto</param-name> </init-param> If secure and unsecure host are the same and the default ports are used (80/443), neither SSL.SecureHost nor SSL.UnsecureHost need to be specified. In order to disable SSL all together the SSL.Enabled property can be specified with a value of "false" SessionMode specifies, how session ids will be handled: - never => when the URL is rewritten, any jsessionid present will be stripped from the URL even if the container relies on url rewriting to keep track of sessions. This will lead to too separate sessions one for the secure requests and one for insecure requests. never is the default sessionMode since it is the most secure one. - always => the session id will always be added to the url even if the container uses Cookies to keep track of sessions. This effectivly will lead to the same session being shared for secure and unsecure pages. While this is the most convenient way it is also insecure since the sessions can be hijacked - auto => if a session id is present in the original url it will be kept. - It is also possible to configure SSL settings via a custom class. To do this, one has to specify the custom configuration class: <init-param> <param-name>SslConfiguration.Class</param-name> <param-value>full.qualified.className.here</param-value> </init-param> - Mark your ActionBeans that should be SSL protected with the new @Secure Annotation. That's it. The Stripes link, url and form tag will check the destination ActionBean on its Secure-state. If the target ActionBean is marked as Secure and the current url is not secure, the url will be rewritten automatically. the same applies for links to non-secure ActionBeans references from secure pages. ! All modifications are marked with comments "BEGIN SSL MOD"/"END SSL MOD" ! Optionally exclude special parameters on link/url tag: ====================================================== Changes: - Added new attribute to LinkTagSupport "excludeSpecialParams" - Added new attribute to the stripes.tld as well for link and url tag - modified the buildUrl() method in LinkTagSupport to check the new attribute Usage: In order to prevent stripes from adding the source page parameter, add <s:link ... excludeSpecialParams="true" /> to your tag ! All modifications are marked with comments "BEGIN SOURCE PAGE MOD"/"END SOURCE PAGE MOD" !
------------------------------------------------------------------------------
_______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users