Apache Struts 2 Plugin Registry > Home > HDIV Plugin
Added by Gorka Vicente, last edited by Martin Cooper on Mar 01, 2010  (view change) show comment
Name HDIV Plugin
Publisher hdiv.org
License Open Source (ASL2)
Version 2.0.4
Compatibility Struts 2.0.6+
Homepage http://www.hdiv.org
Download http://sourceforge.net/project/showfiles.php?group_id=139104

Rating?

Overview 

HDIV plugin integrates HDIV (HTTP Data Integrity Validator) with Struts 2 adding Security functionalities: Integrity, Confidentiality of non editable data and Generic Validations of the Editable Data.

Features 

  • INTEGRITY: HDIV guarantees integrity (no data modification) of all the data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, destiny pages, etc.). Thanks to this property HDIV helps to eliminate most of the vulnerabilities based on the parameter tampering.
  • EDITABLE DATA VALIDATION: HDIV eliminates to a large extent the risk originated by attacks of type Cross-site scripting (XSS) and SQL Injection using generic validations of the editable data (text and textarea).
  • CONFIDENTIALITY: HDIV guarantees the confidentiality of the non editable data as well. Usually lots of the data sent to the client has key information for the attackers such as database registry identifiers, column or table names, web directories, etc. All these values are hidden by HDIV to avoid a malicious use of them. For example a link of this type, http://www.host.com?data1=12&data2=24 is replaced by http://www.host.com?data1=0&data2=1, guaranteeing confidentiality of the values representing database identifiers. 

Getting Started

These are the steps to follow to install and configurate HDIV in a web application. For background information on the core HDIV concepts, visit HDIV's Reference

Requirements

  • Spring 2.x
  • Struts 2.0.6+
  • Commons Codec 1.3+
  • Commons FileUpload 1.1.1+
  • Commons io 1.1+

Installation

Step 1 - Libraries

  •  Include the following libraries in the web application classpath:
    • hdiv-core-2.0.4.jar
    • hdiv-struts-2.0.x-2.0.4.jar
    • Spring library
    • Commons Codec library
    • Commons Fileupload library
    • Commons IO library
  •  Tag library: the Struts 2.x tag library comes bundled in hdiv-struts-2.0.x.jar. The library descriptor is called hdiv-tags.tld. To use the tags from this library, add the following directive to the top of your JSP page:

Step 2 - web.xml

  • Spring configuration file location.

     If validations for editable data have been defined, add hdiv-validations.xml as well.

  • Add HDIV and Spring initialization listeners:
    • Spring listener:
    • HDIV listener:
  • Validation Filter: define HDIV's validation filter for the extensions of all posible actions and for the JSP pages. It is important to define the HDIV filter before the struts2 filter and the org.apache.struts2.dispatcher.FilterDispatcher class in order to guarantee that it is executed before any Struts2 operation.
    Be Careful
    The extension defined by default is ".action". If there are extra extensions added in the struts.properties file, they must be added in the ValidatorFilter as well. Suppose that we modify the struts.properties file to accept the ".do" extension:

    So we modify the web.xml file adding the following value

  • Struts 2 Filter: add the config init parameter to the Struts 2 filter with the following value:

Step 3 - Spring

Add applicationContext.xml and hdiv-config.xml files in the WEB-INF directory of the web application. If validations for editable data have been defined, add the hdiv-validations.xml as well.

Configuration

hdiv-config.xml

  • Init Parameters: Configurable parameters for the user to initialize HDIV in the config bean.
    • Error page: define JSP file path (without context path name) where the request will be redirect to when it does not pass validation.
      error page example
    • Start pages: by default HDIV only accept requests to actions that have been sent to the client before (within html code). If you try to access an action directly (writing in the browser) you will be redirected to the error page. All web aplications have a start page or home page that a client has to access directly. This pages are known as startPages in HDIV and you must declare them within startPages init-param (without context path name).
      start page example
      if your web application home page url is http://www.host.com/webapp-name?home.action, you have to declare "home" parameter on the value:

struts-plugin.xml

This file is distributed in the HDIV's hdiv-struts-2.0.x-2.0.4.jar library, therefore, including the library in the web application classpath, HDIV's new classes to use by the Struts2 core, the new library for Velocity and Freemarker and a new interceptor for the validation of editable data will be configured.

Result Types redirect and redirect-action defined by default in struts-default.xml have been overwritten in struts-plugin.xml, in case we use these type of results (redirect, redirect-action) by dependency injection. For example:

We must modify the class defined in the type attribute and declare the following types depending on the result type we want to use:

  • redirect: type=HDIVServletRedirectResult.class
  • redirect-action: type=HDIVServletActionRedirectResult.class

    Configuration
    For more information about HDIV's configuration you can read HDIV's Reference (chapter 7.2)

Example

There is an example to show how HDIV works. These are the steps to follow to install application:

  1. Download showcase application from Sourceforge: http://sourceforge.net/project/showfiles.php?group_id=139104
  2. Deploy showcase application in our web server.
  3. Start up the web server.
  4. Execute showcase init URL. We must know the domain and the port where the web server is running: http://<domain:port>/struts2-showcase-2.0.x/
    More information about showcase web application
    You can get more details about configuration in the HDIV's Reference (chapter 8.2)

Version History

Version Date Author Notes
2.0.4 Mar 11, 2008 hdiv.org Support for Struts 2.0.11 and Anti-CSRF token
2.0.3 Jan 14, 2008 hdiv.org Support for Spring 2.5
2.0.1 Nov 14, 2007 hdiv.org Modified behaviour of file upload handler
2.0 Sep 13, 2007 hdiv.org Support for Struts 2.0.9
1.3 June 20, 2007 hdiv.org Initial release