Use SSL with Tomcat 5.5

Quick Tomcat SSL configuartion
1. $CATALINA_HOME or $CATALINA_BASE must be set in your environment, check in command prompt in windows
C:\echo %CATALINA_HOME%

2. Create a keystore using the keytool found in java/bin directory, check if you JAVA_HOME environment variable is set
C:\echo %JAVA_HOME%
If JAVA_HOME is not set, go to control panel -> system -> advanced and environment variables and add it and let it point to your java home directory.
When it is set this command should execute the keygenerator
C:\%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA

If you are having any conflict or some keystore already exists you can specify where your new keystore should be placed like this:
C:\%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore \temp\keystore

And specify a password value of "changeit" for both the keystore and the key

Important: Tomcat will by default look for a keystore named .keystore in the logged in user's home directory and it will also use the password "changeit" by default to open the keystore and for the generated key. This can however be configured in tomcat's server.xml file. But the password for the keystore and the key must be the same.

3. Edit server.xml in tomcat

This is what I did in the server.xml found in %CATALINA_HOME%\conf

Just uncomment the SSL snippet and add keystoreFile and keystorePass if you are using something else than "changeit"

<d;!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<d;Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\temp\keystore"
keystorePass="mysecretpassword" />



4. Restart Tomcat and try

https://localhost:8443

This shoud give you the ordinary startup page if everything worked as it should


Check this link for all details
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

/Crille

Acegi Implementation

Acegi Implementation in existing project

This is a short description of how I implemented security in my application using Acegi. (Wont make much sense if not knowing how acegi works though). But here are some links to get started:

Various articles:
http://acegisecurity.org/articles.html

Acegi/Spring forum:
http://forum.springframework.org/forumdisplay.php?f=33


Lets get started
My application already had an User model mapped to the database having username and password.

Implementing Acegi was done in two major steps
1. Preparing the application (Acegi UserDetails, Role model)
2. Configure filters (acegiApplicationContext.xml)

First step (prepare application)
Add acegi details to the existing User
1. Implement Acegi UserDetails interface to existing user class.
2. Make properties and Hibernate mapping to the new properties in the class. Make sure to do setters to the implemented properties from UserDetails.
3. Create a Role and map it to the user. One user can have many roles (Set of roles).
4. Make a JUnit test and create a User, a Role, and give the User a this role, delete the user.

Second Step (Add and configure filters)
1. Start in web.xml and add the FilterToBeanProxy, this will secure filter invocations. It delegates to filterChainProxy that is the next step.

<filter>
<filter-name>Acegi Filter Chain Proxy
<filter-class>
org.acegisecurity.util.FilterToBeanProxy

<init-param>
<param-name>targetBean
<param-value>filterChainProxy



<filter-mapping>
<filter-name>Acegi Filter Chain Proxy
<url-pattern>/*


2. Create an acegiApplicationContext.xml file and add:

<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,basicProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor




The FilterChainProxy is used to create and start up the filters. All filters are chained together by the FilterChainProxy and started in the specified order.

3. Lets have a look at the filters we have choosen to use in the filterChainProxy bean.
<!-- Automatically receives AuthenticationEvent messages -->
<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
<property name="context" value="org.acegisecurity.context.SecurityContextImpl">


1. Find the hook where your application add Spring, could be in applicationContext.xml or a plugin in struts-config.xml.

2. Add a acegiApplicationContext.xml, e.g. in struts-config.xml. Better of is to add the acegiApplicationContext.xml in your spring application context file.

<plug-in classname="org.springframework.web.struts.ContextLoaderPlugIn">
<set-property property="contextConfigLocation" value="/WEB-INF/applicationContext.xml,/WEB-INF/acegiApplicationContext.xml">



Note that it is not necessary to make a seperate context file for acegi security. All acegi configuration could easily be done in your spring application context file. But it is good to keep things seperated.

3. Create the acegiApplicationContext.xml and start setting up the needed filters for Authentication, Authorization.