Re: [cinjug-users] J2ee Container Managed Web Security and Struts

To:	John Olmstead <jolmstead2k@xxxxxxxxx>
Subject:	Re: [cinjug-users] J2ee Container Managed Web Security and Struts
From:	Greg Nieman <gnieman@xxxxxxxx>
Date:	Fri, 21 Apr 2006 21:23:22 -0400
Cc:	Cinjug <users@xxxxxxxxxx>
Delivered-to:	mailing list users@cinjug.org
In-reply-to:	<20060421123414.21713.qmail@web54303.mail.yahoo.com>
Mailing-list:	contact users-help@cinjug.org; run by ezmlm
References:	<20060421123414.21713.qmail@web54303.mail.yahoo.com>
User-agent:	Thunderbird 1.5 (Windows/20051201)

Have you tried setting the roles attribute in the action mapping? The standard behavior of the struts processRoles method is to preprocess any action by calling the isUserInRole method for an action that has this attribute set.

If it doesn't fit your needs, it is trivial to override the processRoles method in the request processor and implement your own handling. I have done this with success in the past.

A tag might be useful if you wanted to implement a page where some roles might see a particular entry/submit option, and others were not. In my own case, the classes that validated access for a particular role or set of roles were the same used for the tag, so adding the tag was a trivial exercise.

John Olmstead wrote:

Ladies and Gentlemen;

I am struggleing to formulate a solution plan to implement a J2ee custom web 
security model to
a struts based application.  The security mapping is fairly standard with 
protected url
mappings, form based authentication , LDAP authentication and DB authorization.

Container managed security is directory based as protected areas are mapped 
with url mappings.
 Problem is that struts will gladly render protected resources to 
unauthenticated/unauthorized
users.

Two solutions come to mind.  One is a custom tag , implemented on every jsp 
page in the
protected areas to check authentication and authorization.  The second is a 
servlet filter
that intecepts the request between the action class to the view resource (jsp). 
 Not all areas
of the application are protected.

I have surfed online developer resources and do not find there to be a lot of 
information on
this topic.  In fact, I find that most of the struts demo apps out there are 
using application
managed security.

I'd appreciate hearing about any experiances you may have on implementing J2ee 
web security on
any mvc framework.  It certainly appears to me that J2ee web security was 
intended for model 1
web applications and not model 2 (mvc).

Thanks in advance for your comments.

John Olmstead (859) 380 2743

John Olmstead
jolmstead2k@xxxxxxxxx

__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

---------
You may unsubscribe from this mailing list
by sending a blank email addressed to:
users-unsubscribe@xxxxxxxxxx

--
Find additional help by sending a blank email
addressed to:
users-help@xxxxxxxxxx

<Prev in Thread]	Current Thread	[Next in Thread>
J2ee Container Managed Web Security and Struts, John Olmstead RE: [cinjug-users] J2ee Container Managed Web Security and Struts, Abraham Fathman Re: [cinjug-users] J2ee Container Managed Web Security and Struts, Jason Zhang Re: [cinjug-users] J2ee Container Managed Web Security and Struts, Greg Nieman <=

Previous by Date:	Re: [cinjug-users] Hibernate in JBoss vs Tomcat, Greg Nieman
Next by Date:	:SPAM: Ratess will skyrocket soon, Basil Anaya
Previous by Thread:	Re: [cinjug-users] J2ee Container Managed Web Security and Struts, Jason Zhang
Next by Thread:	Hibernate in JBoss vs Tomcat, Wei Zhang
Indexes:	[Date] [Thread] [Top] [All Lists]