SSL/TLS in Struts 2

Background

SSL/TLS provides an encrypted communication channel that a client and server can use to exchange messages without an attacker eavesdropping or manipulating data in transit. This is an important security control to include within a web application to ensure attackers cannot steal user's authentication session cookies or observe user's credentials as they are transmitted to the server.

Web applications and their environments should ensure users can only access sensitive applications over an encrypted communication channel (https for example). Firewalls, application servers, or applications themselves can enforce this behavior.

Requiring SSL/TLS in Struts 2

One way to ensure users connect using SSL or TLS within struts is to create an interceptor to verify this connection. An example has been provided below.


SSLRequired.jsp

(Click the image to view the code)

RequireSSLInterceptor

(Click the image to view the code)

Struts.xml

(Click the image to view the XML)

The code repository containing updated struts 2 modules can be found below:

http://code.google.com/p/struts2securityaddons/

Additionally, you can see discussion of these modules in my earlier blog posts:

• http://nickcoblentz.blogspot.com/2008/09/jsessionid-regeneration-in-struts-2.html
• http://nickcoblentz.blogspot.com/2008/10/http-caching-headers-in-struts-2.html
• http://nickcoblentz.blogspot.com/2008/10/ssltls-in-struts-2.html
• http://nickcoblentz.blogspot.com/2008/10/custom-error-pages-in-struts-2.html
• http://nickcoblentz.blogspot.com/2008/11/csrf-prevention-in-struts-2.html
• http://nickcoblentz.blogspot.com/2008/11/page-level-access-controls-in-struts-2.html
• http://nickcoblentz.blogspot.com/2008/12/page-level-access-controls-in-struts-2.html

HTTP Caching Headers in Struts 2

Background

In many cases, the users' web browsing experience can be made more efficient by allowing web browsers to cache pages, images, scripts, and other content. This allows the web browser to retrieve content from the local disk rather than requesting data from the server every time. The end result is a quicker, more responsive user interface.

While this strategy is great for applications that handle public, non-sensitive information, it may not be appropriate for banking, investment, health care, or other similar applications. In general, applications that contain sensitive or confidential information should have controls that reduce the likelihood of information being disclosed to unauthorized individuals.

One way web applications can reduce the likelihood of browsers disclosing sensitive data through caching is to include the following HTTP headers within the server's response.

Cache-control: no-cache, no-store
Pragma: no-cache
Expires: -1

For more information, please see the OWASP AppSec FAQ.


Struts Interceptor Implementation

One way these headers can be included within a Struts 2 application is to create a custom interceptor. An example has been provided below.

CachingHeadersInterceptor Code

(Click the image above to view the code)

Struts.xml

(Click the image above to view the XML)

Results

Server: Apache-Coyote/1.1
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html
Content-Length: 157
Date: Sat, 18 Oct 2008 18:37:35 GMT

200 OK

The code repository containing updated struts 2 modules can be found below:

http://code.google.com/p/struts2securityaddons/

Additionally, you can see discussion of these modules in my earlier blog posts:

• http://nickcoblentz.blogspot.com/2008/09/jsessionid-regeneration-in-struts-2.html
• http://nickcoblentz.blogspot.com/2008/10/http-caching-headers-in-struts-2.html
• http://nickcoblentz.blogspot.com/2008/10/ssltls-in-struts-2.html
• http://nickcoblentz.blogspot.com/2008/10/custom-error-pages-in-struts-2.html
• http://nickcoblentz.blogspot.com/2008/11/csrf-prevention-in-struts-2.html
• http://nickcoblentz.blogspot.com/2008/11/page-level-access-controls-in-struts-2.html
• http://nickcoblentz.blogspot.com/2008/12/page-level-access-controls-in-struts-2.html