Here is a rundown of what I did to make SSL work.
In the security.xml
1) Add a new filter to the filterChainProxy called channelProcessingFilter.
It may already be there but regardless of what the documentation around the
internet says it needs to go second, I found, i.e.
<bean id="filterChainProxy"
class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,channelProcessingFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
</value>
<!-- Put channelProcessingFilter before
securityContextHolderAwareRequestFilter to turn on SSL switching -->
<!-- It's off by default b/c Canoo WebTest doesn't support SSL
out-of-the-box -->
</property>
</bean>
That will get make it so that when the request is being filtered it will
pass though the channelProcessingFilter to check if a secure channel is
required or not.
Next, add (or modify) your channelProcessingFilter as follows:
<!-- SSL Switching: to use this, configure it in the filterChainProxy bean
-->
<bean id="channelProcessingFilter"
class="org.acegisecurity.securechannel.ChannelProcessingFilter">
<property name="channelDecisionManager"
ref="channelDecisionManager"/>
<property name="filterInvocationDefinitionSource">
<value>
PATTERN_TYPE_APACHE_ANT
/login.html=REQUIRES_INSECURE_CHANNEL
/**=REQUIRES_SECURE_CHANNEL
</value>
</property>
</bean>
<bean id="channelDecisionManager"
class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">
<property name="channelProcessors">
<list>
<bean
class="org.acegisecurity.securechannel.SecureChannelProcessor"/>
<bean
class="org.acegisecurity.securechannel.InsecureChannelProcessor"/>
</list>
</property>
</bean>
The pattern described above by the property filterInvocationDefinitionSource
tells the system that in my case I want all requests to go via a secure
channel except the login.html page.
You are done for the java/spring bits.
Go to in my case Tomcat and edit the conf/server.xml file in the following
sections
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on the port specified
during installation -->
<Connector
port="80" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" redirectPort="443" acceptCount="100"
debug="0" connectionTimeout="20000"
disableUploadTimeout="true" />
<!-- Note : To disable connection timeouts, set connectionTimeout value
to 0 -->
<!-- Note : To use gzip compression you could set the following
properties
:
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml"
-->
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 443 -->
<Connector port="443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
The changes from the norm are enabling the SSL connector and changing the
used ports to 80(i.e. normal) and 443(i.e. SSL) from those given by default
when you use Tomcat. After all tomcat is used to getting its calls from
Apache or JBoss.
I think that is it.
A word of warning to all those thinking of just using a Tomcat server and
ignoring Apache. Tomcat uses a less secure cut of the code from the apache
server so it can only be made to support SSLv2. You can upgrade it though,
go to the following link,
http://tomcat.apache.org/tomcat-5.5-doc/apr.html
You will then be able to configure your server to run the more secure Apache
Portable Runtime.
Finding that kept me happy for a couple of days :(
I hope that helps. I suspect next I should be a good community person and
detail how to get authentication and authorisation going using LDAP and WSDL
within the acegi framework. Maybe next week!!
Nigel
Philip Barlow wrote:
>
> Thanks Nigel, as mentioned before i think this would be beneficial to
> all of us, i look forward to reading this.
>
> Philip
>
> Nigel in NZ wrote:
>> Phillip,
>>
>> I have not forgotten this request, I take a fair amount of good info from
>> the Appfuse forum it is time for me to give back. I will post something
>> over the next couple of days.
>>
>> Thanks
>>
>> Nigel
>>
>> Philip Barlow wrote:
>>
>>> Hi Nigel,
>>>
>>> Would you be willing to put up a short walk through of adding SSL to
>>> appfuse on the wiki? I would be very interested in this, particularly
>>> with Struts.I'm sure i'm not the only one.
>>>
>>> Have a look here and searc for HTTPS:
>>>
>>> http://tomcat.apache.org/tomcat-5.5-doc/apr.html
>>>
>>> Nigel in NZ wrote:
>>>
>>>> Hi,
>>>>
>>>> I am using SSL with my Appfuse, quite hapily. I have a keystore with a
>>>> couple of trusted certificates, I have restricted only the correct
>>>> pages
>>>> as
>>>> needed, thats all good.... or at least I thought it was. We got an
>>>> external
>>>> company to run a security check on the web site and it came back
>>>> stating
>>>> that we should be using SSLv3 not SSLv2 . I have looked though the
>>>> configuration files and cannot find anything else left to fiddle with.
>>>> I
>>>> have seen a couple of articles where people have re-compiled Tomcat, do
>>>> I
>>>> have to do that? Can someone help me configure my SSL version, point
>>>> me
>>>> at
>>>> an article please?
>>>>
>>>> I might try upgrading my version of Tomcat to 6 and see if that sorts
>>>> it
>>>> out(magically).
>>>>
>>>> Thanks
>>>>
>>>> Nigel
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>>
>>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
--
View this message in context:
http://www.nabble.com/Tomcat-SSL-tf3825453s2369.html#a11001837
Sent from the AppFuse - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
