Raible's Wiki: AppFuseSecuritySettings

Raible's Wiki

Raible Designs
Wiki Home
News
Recent Changes

AppFuse

Homepage
  - Korean
  - Chinese
  - Italian
  - Japanese

QuickStart Guide
  - Chinese
  - French
  - German
  - Italian
  - Korean
  - Portuguese
  - Spanish
  - Japanese

User Guide
- Korean
- Chinese

Tutorials
  - Chinese
  - German
  - Italian
  - Korean
  - Portuguese
  - Spanish

FAQ
- Korean

Latest Downloads

Other Applications

Struts Resume
Security Example
Struts Menu

Set your name in UserPreferences

Edit this page

Referenced by
AppFuseAddServlet

JSPWiki v2.2.33

Hide Menu

AppFuseSecuritySettings	Search Wiki:
Your trail:

NOTE: These instructions apply to AppFuse versions < 1.8. AppFuse has used Acegi Security since the 1.8 release.

Security Settings in AppFuse

This page is intended to be a catch-all for security related configurations in AppFuse. Most of the security settings are found in one file /metadata/web/web-security.xml. By default, all actions require a login except the PasswordHintAction and SignupAction. But only actions are protected. So all static content, or other resource mappings that don't match the pattern *.html do not require a login to access.

Allowing an action to be accessed without a login.

In the web-security.xml file add an entry into the Unrestricted security constraint.

...
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Unrestricted</web-resource-name>
            <description>All users can view</description>
            <url-pattern>/passwordHint.html</url-pattern>
            <url-pattern>/signup.html</url-pattern>

            <!-- Allow MyAction to be accessed with out a login -->
            <url-pattern>/myaction.html</url-pattern>

            <http-method>POST</http-method>
            <http-method>GET</http-method>
        </web-resource-collection>
...

Force a page/action to use SSL

The simplest way is to add a tag to your .jsp file.

    <appfuse:secure/>

A couple of other methods from this mail list thread:

1. Secure your Action programmatically by requiring that it uses https. This works, but doesn't encrypt any data b/w the user's browser and your action. Below is an example from ActionFilter.

        String redirectString =
            SslUtil.getRedirectString(request, 
                    config.getServletContext(),
                    secure.booleanValue());

        if (redirectString != null) {
            if (log.isDebugEnabled()) {
                log.debug("protocol switch needed, redirecting to '" +
                        redirectString + "'");
            }

            // Redirect the page to the desired URL
            response.sendRedirect(response.encodeRedirectURL(redirectString));

            // ensure we don't chain to requested resource
            return;
        }

2. Secure URL patterns in web.xml and set a constraint to TRANSPORT-GUARANTEE.

NOTE: The problem with both of the above is there are no mechanisms for returning you back to http. One way is to use the JSP tag or you could use the SslUtil at the end of your action to return you.

Go to top Edit this page More info... Attach file...

This page last changed on 06-Nov-2006 13:52:59 MST by MattRaible.