Shulou(Shulou.com)06/02 Report--

Editor to share with you how to configure the security features of Struts 2 applications. I hope you will gain something after reading this article. Let's discuss it together.

Security is one of the most critical issues in Web application development. In servlet-based applications, there are two ways to protect application resources: one is to configure the application (web.xml), and the other is to use Java code to hard code into the program. The former method uses configuration files, which is flexible because it is a common way to change security policy without rewriting any code. Struts 2 is based on servlet technology, so the security policy of Struts 2 can also be flexibly configured using configuration files.

When configuring security policies, there are two concepts that need to be clearly distinguished: users and roles. In short, users are people who use computers, and they can be individuals or organizations. Role is an abstract concept, which generally refers to position or authority. For example, Zhang San, Li Si and Wang Wu have three positions (authority) of staff, supervisor and manager. Zhang San is a user, and Zhang San can be a supervisor position, representing Zhang San as a user with the rights of a supervisor.

Different servlet containers provide different user and role management mechanisms. I use the Tomcat server, which provides the user and role management mechanism file is the tomcat-users.xml file in the conf directory in its installation directory, in which you can edit the user and role. For example:

This file defines two roles (tomcat and role1) and three users (tomcat, both, and role1). You can define as many users and roles as you want in the tomcat-users.xml file.

Use Struts 2 to protect the resources of the application

The security policy for a Struts 2 application is implemented by deploying the security-constraint element in the web.xml file, whose syntax defines:

This syntax indicates that the security-constraint element can have an optional display-name child element, at least one web-resource-collection child element, an optional auth-constraint child element, and an optional user-data-constraint child element.

The web-resource-collection child element is used to list the Web resources you intend to protect by setting the URL limit for those resources, which is achieved by setting the child elements contained in the web-resource-collection element:

◆ web-resource-name: is the name associated with the protected resource. The child element is a required element.

◆ description: a description of a given resource. This child element is optional.

◆ url-pattern: used to set the URL expression, the resource pointed to by the URL address that matches this URL expression will be protected. The child element is at least one and is a required element.

◆ http-method: used to indicate which HTTP methods will be restricted, for example, if set to GET, all GET requests will be restricted. This element is optional.

The auth-constraint element is used to specify that the collection of user roles for the resource can be accessed. If no auth-constraint element is specified, the security constraint is applied to all roles. It contains the following child elements:

◆ description: description. This element is optional.

◆ role-name: the user role that can access the protection resource. There can be more than one element.

The ◆ user-data-constraint element is used to set how the data passed between the client and the Web container is protected.

◆ description: description. Optional element.

◆ transport-guarantee: this element has the following values

1. NONE, which means that the application does not need a transmission guarantee.

2. INTEGRAL means that the data between the server and the client must be sent in some way, and the data cannot be tampered with during transmission.

3. CONFIDENTIAL, which means that the transmitted data must be encrypted.

The basic information of the configured security-constraint element is roughly in the following format:

Admin Arew * .action myeclipseWeb

The effect of this security-constraint element is that as long as the request that matches the expression "* .action" is not from a user with "myeclipseWeb" permission, the Web container blocks it. You can also use the http-method element here to block requests for a specific method, because no use blocks requests submitted by all methods.

After setting the security policy, you also need to set up a login method that gives users the opportunity to provide proof that they have access to this restricted resource. The allowed login method is set using the login-config element, which is defined by the syntax of the login-config element:

The login-config child elements are described as follows:

◆ auth-method specifies the method used to authenticate the user. Its value is one of the following: BASIC, DIGEST, FORM, or CLIENT-CERT

◆ realm-name specifies a prompt displayed in the standard login box in HTTP Basic validation.

The ◆ form-login-config element is used when the element value is "FORM". It specifies the login and error pages that should be used in form-based logins. If form-based validation is not used, these elements are ignored. This element is defined as follows, where form-login-page is used to specify the resource path where the login page is displayed, and form-error-page is used to specify the resource path where the wrong page is displayed when the user fails to log in.

After setting up the login method, you should also use the security-role element to register all roles that are allowed to access protected resources. Use a role-name child element inside the element to register a role. For example:

MyeclipseWeb

Registered a "myeclipseWeb" role.

Demo example: use BASIC login method to verify user identity

1. The Servlet container I use is Tomcat. Find the tomcat-users.xml file in the conf directory in its directory and open it as follows:

The IDE I use is myEclipse9.0, which configures the contents of the tomcat-users.xml file under Tomcat as above, I use it directly, and you can add your own roles and users. The file defines 2 roles and 3 users, each of which is assigned to its own role (or permissions, which can have multiple permissions).

two。 Create the Web project, find web.xml, configure it, make it support Struts 2 and start the security policy for Struts 2

Struts Blank struts2 org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter struts2 / * index.html Admin Arew * .action myeclipseWeb myeclipseWeb MyeclipseWebservices BASIC User Basic Authentication

3. Create an action class that receives a field information:

Public class SecureAction extends ActionSupport {private static final long serialVersionUID = 1961430702313132722L; private String username; public String getUsername () {return username;} public void setUsername (String username) {this.username = username;} @ Override public String execute () {return SUCCESS;}}

4. Create a struts.xml profile and declare the action

/ index.jsp

5. Create the input page input.jsp and the result page index.jsp

Input.jsp:

Index.jsp

, Welcome

6. To test the effect, enter http://localhost:8081/SecureTest/input.jsp in the browser to get the following interface: enter "Tom", click the "submit" button to view the effect:

See the login box, right? at this time, the resource we want to access is a restricted resource, so permission verification is required. Remember our user table, check the user table and enter user information to view the result:

Enter user information for "webservices" and "webservices-pwd":

A "403" error is prompted because although the user information is correct, the "webservices" user does not have "myeclipseWeb" permission.

Enter a user information that does not exist this time:

This time I got a "401" error, which is the result of login failure, which will require different times of failed login depending on the browser.

Next, enter the correct user with "webservices" permission:

Click OK to get the following results:

As you can see, we have successfully accessed protected resources. If you want to transfer Chinese characters, I have already introduced the solution in the previous "configure Struts2". You need to change the default encoding of Struts2 and the encoding of the page to "GBK".

After reading this article, I believe you have a certain understanding of "how to configure the security features of Struts 2 applications". If you want to know more about it, you are welcome to follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.