Raible's Wiki

Raible Designs
Wiki Home
Recent Changes


  - Korean
  - Chinese
  - Italian
  - Japanese

QuickStart Guide
  - Chinese
  - French
  - German
  - Italian
  - Korean
  - Portuguese
  - Spanish
  - Japanese

User Guide
  - Korean
  - Chinese

  - Chinese
  - German
  - Italian
  - Korean
  - Portuguese
  - Spanish

  - Korean

Latest Downloads

Other Applications

Struts Resume
Security Example
Struts Menu

Set your name in

Edit this page

Referenced by

JSPWiki v2.2.33


Hide Menu


NOTE: These instructions apply to AppFuse versions < 1.8. AppFuse has used Acegi Security since the 1.8 release.

Security Settings in AppFuse

This page is intended to be a catch-all for security related configurations in AppFuse. Most of the security settings are found in one file /metadata/web/web-security.xml. By default, all actions require a login except the PasswordHintAction and SignupAction. But only actions are protected. So all static content, or other resource mappings that don't match the pattern *.html do not require a login to access.

Allowing an action to be accessed without a login.

In the web-security.xml file add an entry into the Unrestricted security constraint.
            <description>All users can view</description>

            <!-- Allow MyAction to be accessed with out a login -->


Force a page/action to use SSL

The simplest way is to add a tag to your .jsp file.

A couple of other methods from this mail list thread:

1. Secure your Action programmatically by requiring that it uses https. This works, but doesn't encrypt any data b/w the user's browser and your action. Below is an example from ActionFilter.

        String redirectString =

        if (redirectString != null) {
            if (log.isDebugEnabled()) {
                log.debug("protocol switch needed, redirecting to '" +
                        redirectString + "'");

            // Redirect the page to the desired URL

            // ensure we don't chain to requested resource

2. Secure URL patterns in web.xml and set a constraint to TRANSPORT-GUARANTEE.

NOTE: The problem with both of the above is there are no mechanisms for returning you back to http. One way is to use the JSP tag or you could use the SslUtil at the end of your action to return you.

Go to top   Edit this page   More info...   Attach file...
This page last changed on 06-Nov-2006 13:52:59 MST by MattRaible.