Re: why not extend struts to support access control?
I have just read the example.
I don't see any clue that ageci solved the problem.
Although it can ensure the security in function level,it isn't very useful.
I can security my system in a high level not function level.
It also uses IOC which struts doesn't support.If I want to use it,I have to
use spring.
Your example is the role checking.But the access control is more complex.
For example,when user A want to edit his information,the URL maybe like
this http://user/editProfile.do?id=userA.The editProfile.do use the id
parameter to get the profile of user A.Before doing that the application
should ensure whether the request is requested by user A.So the editProfile
should compare the id parameter with the id property stored in the session.
Maybe more complex,for example,the id parameter indicate the order id.User
may have a lot of orderid,they can only edit the order which wasn't
shipped.How can ageci solve this?
Sorry,I ask a lot of questions,and may of them are irrelevant to struts.
==
Ji Liu
From: bryan [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: liu ji [EMAIL PROTECTED], Struts Developers List
[EMAIL PROTECTED]
Subject: Re: why not extend struts to support access control?
Date: Sun, 26 Sep 2004 13:40:01 +0200
it does support it, just depends on whether or not you correctly
structured your
application.
Here is a sample app that I wrote to test it.
https://jestate.dev.java.net/files/documents/1364/7000/ageci-quick-start.zip
There is ample documentation on their web site as well.
--b
On Sun, 26 Sep 2004 18:59:55 +0800, liu ji [EMAIL PROTECTED] wrote:
I don't think acegi security support the programmatic access control.
By the way,how do you solve the programmatic access control problem?
==
Ji Liu
From: bryan [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: Struts Developers List [EMAIL PROTECTED]
Subject: Re: why not extend struts to support access control?
Date: Sun, 26 Sep 2004 12:44:40 +0200
http://acegisecurity.sourceforge.net
unless of course you feel an irresistable urge to reinvent the wheel
for
the
10th time ..
--b
On Sun, 26 Sep 2004 05:07:32 +, liu ji [EMAIL PROTECTED]
wrote:
Thank you.
I know filter can do this very well.But filter have some
drawbacks.I
don't
know how to express this,because of my poor English.
Without struts,I can use a single filter to delegate the request to
my
access control framework.I have already done this.
But when using struts,there will be some redundancies.
And I think struts should provide this.
May a access control framework which doesn't denpend on struts is
more
attractive.
I want this kind framework.
Do you know where can I find one?
==
Ji Liu
From: Frank W. Zammetti (MLists) [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: Struts Developers List [EMAIL PROTECTED]
Subject: Re: why not extend struts to support access control?
Date: Sat, 25 Sep 2004 13:12:44 -0400 (EDT)
I'm not sure I follow your reasoning... In terms of security, you
ALWAYS
want a user to be authenticated and validated before ANY
application-level
code executes, and in my mind, that very much includes input
validations.
Filters provide this mechanism, before Struts comes into play,
which
is
where it should happen.
In an enterprise-class application, the trend, and rightly so I
think,
is
to externalize security, meaning when a URL is requested, the web
server
hands the user authentication piece off to some handler (like
Netegrity
Siteminder as an example), so it's not the web server, app server
or
even
a filter that handles checking if a user is valid for each
request.
Am I missing something that might change my mind?
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
_
MSN Explorer: http://explorer.msn.com/lccn
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
_
??MSN Hotmail??
http://www.hotmail.com
_
MSN Messenger: http://messenger.msn.com/cn
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: why not extend struts to support access control?
I think you need to restructure your application. --b On Sun, 26 Sep 2004 22:40:18 +0800, liu ji [EMAIL PROTECTED] wrote: I have just read the example. I don't see any clue that ageci solved the problem. Although it can ensure the security in function level,it isn't very useful. I can security my system in a high level not function level. It also uses IOC which struts doesn't support.If I want to use it,I have to use spring. Your example is the role checking.But the access control is more complex. For example,when user A want to edit his information,the URL maybe like this http://user/editProfile.do?id=userA.The editProfile.do use the id parameter to get the profile of user A.Before doing that the application should ensure whether the request is requested by user A.So the editProfile should compare the id parameter with the id property stored in the session. Maybe more complex,for example,the id parameter indicate the order id.User may have a lot of orderid,they can only edit the order which wasn't shipped.How can ageci solve this? Sorry,I ask a lot of questions,and may of them are irrelevant to struts. == Ji Liu From: bryan [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: liu ji [EMAIL PROTECTED], Struts Developers List [EMAIL PROTECTED] Subject: Re: why not extend struts to support access control? Date: Sun, 26 Sep 2004 13:40:01 +0200 it does support it, just depends on whether or not you correctly structured your application. Here is a sample app that I wrote to test it. https://jestate.dev.java.net/files/documents/1364/7000/ageci-quick-start.zip There is ample documentation on their web site as well. --b On Sun, 26 Sep 2004 18:59:55 +0800, liu ji [EMAIL PROTECTED] wrote: I don't think acegi security support the programmatic access control. By the way,how do you solve the programmatic access control problem? == Ji Liu From: bryan [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Struts Developers List [EMAIL PROTECTED] Subject: Re: why not extend struts to support access control? Date: Sun, 26 Sep 2004 12:44:40 +0200 http://acegisecurity.sourceforge.net unless of course you feel an irresistable urge to reinvent the wheel for the 10th time .. --b On Sun, 26 Sep 2004 05:07:32 +, liu ji [EMAIL PROTECTED] wrote: Thank you. I know filter can do this very well.But filter have some drawbacks.I don't know how to express this,because of my poor English. Without struts,I can use a single filter to delegate the request to my access control framework.I have already done this. But when using struts,there will be some redundancies. And I think struts should provide this. May a access control framework which doesn't denpend on struts is more attractive. I want this kind framework. Do you know where can I find one? == Ji Liu From: Frank W. Zammetti (MLists) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Struts Developers List [EMAIL PROTECTED] Subject: Re: why not extend struts to support access control? Date: Sat, 25 Sep 2004 13:12:44 -0400 (EDT) I'm not sure I follow your reasoning... In terms of security, you ALWAYS want a user to be authenticated and validated before ANY application-level code executes, and in my mind, that very much includes input validations. Filters provide this mechanism, before Struts comes into play, which is where it should happen. In an enterprise-class application, the trend, and rightly so I think, is to externalize security, meaning when a URL is requested, the web server hands the user authentication piece off to some handler (like Netegrity Siteminder as an example), so it's not the web server, app server or even a filter that handles checking if a user is valid for each request. Am I missing something that might change my mind? -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com _ MSN Explorer: http://explorer.msn.com/lccn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ ?MSN Hotmail? http
Re: why not extend struts to support access control?
On Sun, 26 Sep 2004 05:07:32 +, liu ji [EMAIL PROTECTED] wrote: Thank you. I know filter can do this very well.But filter have some drawbacks.I don't know how to express this,because of my poor English. Without struts,I can use a single filter to delegate the request to my access control framework.I have already done this. But when using struts,there will be some redundancies. And I think struts should provide this. May a access control framework which doesn't denpend on struts is more attractive. I want this kind framework. Do you know where can I find one? My personal preference is to use container managed security where possible with Struts based applications, for which purpose Struts aready provides some levels of integration: * The role attribute on action, which limits who can execute an action * The role attribute on logic:present so you can conditionally display nested content based on the user having the correct role. When container managed security is insufficient, I like SecurityFilter (http://sourceforge.net/projects/securityfilter/). One particular reason I like this is that the implementation *simulates* container managed security, so the Struts based support for role checking still works. This will also be true for any other filter-based solution that does the same thing (providing a wrapped servlet request object such that getRemoteName, getUserPrincipal, and isUserInRole provide the required data). You don't need anything extra in Struts for this purpose. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
why not extend struts to support access control?
when build a large web based application,access control is required.For example user A can't access user B's private imformations.In order to do so,we should code the access control logic in controllers.But when the access control logic is changed,the controlllers will be changed.So someone suggest to use filter.Yes,filter can do this very well.But I think we miss something. when the client want to access a url,validating the input is the first thing application should do.If we use filter,the input maybe invalidate but user get can't access.So we should do this after validate the input,and before perform the action. If I don't use struts,there will be no problem.But I use struts and validator.I hava seen the source code,I can't find a method to implement this mechanism without change the source code. I already get an idea.if the struts-config.xml can support these tags: action path=URL !--action declaration--! access class=className property name=propertyName value=value !--other property--! method name=method1/ !--other method--! access !--other access--! /action This config means when client access URL,the access control will use the class declared in the access element,and use the method decleard in the method element.The properties of the access control class is set by the property element. take a simple config for example: action path=URL !--action declaration--! access class=class1 property name=name value=Ji Liu method name=method1/ method name=method2/ access access class=class2 property name=role value=user method name=method3/ access /action this config means when client requests URL,the application create an object by class1 and set its property name using value Ji Liu.Then use the object's method method1 and method2 to check the rights.After that another object is created by class2,and initialized its property role as user,then use method method3 to check. Obviously,the class used by the config should obey some simples rule. Without edit the source code I already implement this in struts by extend the ActionMapping and RequestProcessor.But the config is so ugly.I have use a string which represent the config. I think struts need to support this. = I apologized to your for may poor English. English isn't my first language.So I think it will be a little bit difficult to understand what I want to express. :) Ji Liu _ Do You Yahoo!? 150MP3 http://cn.rd.yahoo.com/mail_cn/tag/yisou/music/*http://music.yisou.com/ http://cn.rd.yahoo.com/mail_cn/tag/yisou/image/*http://image.yisou.com 1G1000 http://cn.rd.yahoo.com/mail_cn/tag/1g/*http://cn.mail.yahoo.com/event/mail_1g/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: why not extend struts to support access control?
Without looking at things in gruesome detail, Ji Liu, I agree. +1 ji liu wrote: when build a large web based application,access control is required.For example user A can't access user B's private imformations.In order to do so,we should code the access control logic in controllers.But when the access control logic is changed,the controlllers will be changed.So someone suggest to use filter.Yes,filter can do this very well.But I think we miss something. when the client want to access a url,validating the input is the first thing application should do.If we use filter,the input maybe invalidate but user get can't access.So we should do this after validate the input,and before perform the action. If I don't use struts,there will be no problem.But I use struts and validator.I hava seen the source code,I can't find a method to implement this mechanism without change the source code. I already get an idea.if the struts-config.xml can support these tags: action path=URL !--action declaration--! access class=className property name=propertyName value=value !--other property--! method name=method1/ !--other method--! access !--other access--! /action This config means when client access URL,the access control will use the class declared in the access element,and use the method decleard in the method element.The properties of the access control class is set by the property element. take a simple config for example: action path=URL !--action declaration--! access class=class1 property name=name value=Ji Liu method name=method1/ method name=method2/ access access class=class2 property name=role value=user method name=method3/ access /action this config means when client requests URL,the application create an object by class1 and set its property name using value Ji Liu.Then use the object's method method1 and method2 to check the rights.After that another object is created by class2,and initialized its property role as user,then use method method3 to check. Obviously,the class used by the config should obey some simples rule. Without edit the source code I already implement this in struts by extend the ActionMapping and RequestProcessor.But the config is so ugly.I have use a string which represent the config. I think struts need to support this. = I apologized to your for may poor English. English isn't my first language.So I think it will be a little bit difficult to understand what I want to express. :) Ji Liu _ Do You Yahoo!? 150MP3 http://cn.rd.yahoo.com/mail_cn/tag/yisou/music/*http://music.yisou.com/ http://cn.rd.yahoo.com/mail_cn/tag/yisou/image/*http://image.yisou.com 1G1000 http://cn.rd.yahoo.com/mail_cn/tag/1g/*http://cn.mail.yahoo.com/event/mail_1g/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
why not extend struts to support access control?
when build a large web based application,access control is required.For example user A can't access user B's private imformations.In order to do so,we should code the access control logic in controllers.But when the access control logic is changed,the controlllers will be changed.So someone suggest to use filter.Yes,filter can do this very well.But I think we miss something. when the client want to access a url,validating the input is the first thing application should do.If we use filter,the input maybe invalidate but user get can't access.So we should do this after validate the input,and before perform the action. If I don't use struts,there will be no problem.But I use struts and validator.I hava seen the source code,I can't find a method to implement this mechanism without change the source code. I already get an idea.if the struts-config.xml can support these tags: action path=URL !--action declaration--! access class=className property name=propertyName value=value !--other property--! method name=method1/ !--other method--! access !--other access--! /action This config means when client access URL,the access control will use the class declared in the access element,and use the method decleard in the method element.The properties of the access control class is set by the property element. take a simple config for example: action path=URL !--action declaration--! access class=class1 property name=name value=Ji Liu method name=method1/ method name=method2/ access access class=class2 property name=role value=user method name=method3/ access /action this config means when client requests URL,the application create an object by class1 and set its property name using value Ji Liu.Then use the object's method method1 and method2 to check the rights.After that another object is created by class2,and initialized its property role as user,then use method method3 to check. Obviously,the class used by the config should obey some simples rule. Without edit the source code I already implement this in struts by extend the ActionMapping and RequestProcessor.But the config is so ugly.I have use a string which represent the config. I think struts need to support this. = I apologized to your for may poor English. English isn't my first language.So I think it will be a little bit difficult to understand what I want to express. :) Ji Liu _ Do You Yahoo!? 150MP3 http://cn.rd.yahoo.com/mail_cn/tag/yisou/music/*http://music.yisou.com/ http://cn.rd.yahoo.com/mail_cn/tag/yisou/image/*http://image.yisou.com 1G1000 http://cn.rd.yahoo.com/mail_cn/tag/1g/*http://cn.mail.yahoo.com/event/mail_1g/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: why not extend struts to support access control?
At 8:05 AM -0700 9/25/04, Michael McGrady wrote: Without looking at things in gruesome detail, Ji Liu, I agree. +1 Hey, wait -- I thought you were the one warning us against bloating Struts!? :^) when the client want to access a url,validating the input is the first thing application should do.If we use filter,the input maybe invalidate but user get can't access.So we should do this after validate the input,and before perform the action. Actually, I don't understand why one should validate input before assessing access privileges. If the user doesn't have permission to access, then the input is implicitly invalid, so why bother doing the input validation? Obviously,the class used by the config should obey some simples rule. Without edit the source code I already implement this in struts by extend the ActionMapping and RequestProcessor.But the config is so ugly.I have use a string which represent the config. I think struts need to support this. I think that the problem here is that access control is a pretty multifaceted and potentially complex aspect of an application, and one which is most likely to need to integrate with home-grown systems. I would be happy to look at a proposed API/configuration format and to consider how to make Struts work well with that, but I think it would be a great challenge to come up with a universal API for it. Also, note that Struts does at least integrate with J2EE container based authentication, whatever problems that model has. If nothing else, it's a standard, which makes it easier for Struts to comply with it. Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com In fact, when I die, if I don't hear 'A Love Supreme,' I'll turn back; I'll know I'm in the wrong place. - Carlos Santana
Re: why not extend struts to support access control?
See within: Joe Germuska wrote: At 8:05 AM -0700 9/25/04, Michael McGrady wrote: Without looking at things in gruesome detail, Ji Liu, I agree. +1 Hey, wait -- I thought you were the one warning us against bloating Struts!? :^) Yah, Joe, I guess if I don't want to order cheeseburgers with Struts I shouldn't want to validate prior to checking user privileges either! LOL I am not against adding to Struts. I am just against adding applications not related to the framework to Struts. Anyway, I am fairly sure what I think is not going to keep anyone up late. LOL I in fact think this is the sort of thing that Struts needs. when the client want to access a url,validating the input is the first thing application should do.If we use filter,the input maybe invalidate but user get can't access.So we should do this after validate the input,and before perform the action. Actually, I don't understand why one should validate input before assessing access privileges. If the user doesn't have permission to access, then the input is implicitly invalid, so why bother doing the input validation? My guess is that he is thinking that a user may have made an incorrect entry which is invalid but be a perfectly good user in fact. Is that right? Obviously,the class used by the config should obey some simples rule. Without edit the source code I already implement this in struts by extend the ActionMapping and RequestProcessor.But the config is so ugly.I have use a string which represent the config. I think struts need to support this. I think that the problem here is that access control is a pretty multifaceted and potentially complex aspect of an application, and one which is most likely to need to integrate with home-grown systems. I would be happy to look at a proposed API/configuration format and to consider how to make Struts work well with that, but I think it would be a great challenge to come up with a universal API for it. Yah, that would be really cool! I could not agree more. Also, note that Struts does at least integrate with J2EE container based authentication, whatever problems that model has. If nothing else, it's a standard, which makes it easier for Struts to comply with it. Joe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: why not extend struts to support access control?
You want access control, just use acegi security to do it, it's a lot better than anything that's gonna get done here soon. Struts already has enough junk thrown in anyway. Incidentally about the only useful thing I've seen recently is Niall Pemberton's lazy validator forms, how come they haven't been included in struts CVS yet ? Maybe it would be better to concentrate on the usefull stuff first --b On Sat, 25 Sep 2004 10:24:46 -0700, Michael McGrady [EMAIL PROTECTED] wrote: See within: Joe Germuska wrote: At 8:05 AM -0700 9/25/04, Michael McGrady wrote: Without looking at things in gruesome detail, Ji Liu, I agree. +1 Hey, wait -- I thought you were the one warning us against bloating Struts!? :^) Yah, Joe, I guess if I don't want to order cheeseburgers with Struts I shouldn't want to validate prior to checking user privileges either! LOL I am not against adding to Struts. I am just against adding applications not related to the framework to Struts. Anyway, I am fairly sure what I think is not going to keep anyone up late. LOL I in fact think this is the sort of thing that Struts needs. when the client want to access a url,validating the input is the first thing application should do.If we use filter,the input maybe invalidate but user get can't access.So we should do this after validate the input,and before perform the action. Actually, I don't understand why one should validate input before assessing access privileges. If the user doesn't have permission to access, then the input is implicitly invalid, so why bother doing the input validation? My guess is that he is thinking that a user may have made an incorrect entry which is invalid but be a perfectly good user in fact. Is that right? Obviously,the class used by the config should obey some simples rule. Without edit the source code I already implement this in struts by extend the ActionMapping and RequestProcessor.But the config is so ugly.I have use a string which represent the config. I think struts need to support this. I think that the problem here is that access control is a pretty multifaceted and potentially complex aspect of an application, and one which is most likely to need to integrate with home-grown systems. I would be happy to look at a proposed API/configuration format and to consider how to make Struts work well with that, but I think it would be a great challenge to come up with a universal API for it. Yah, that would be really cool! I could not agree more. Also, note that Struts does at least integrate with J2EE container based authentication, whatever problems that model has. If nothing else, it's a standard, which makes it easier for Struts to comply with it. Joe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: why not extend struts to support access control?
Incidentally about the only useful thing I've seen recently is Niall Pemberton's lazy validator forms, how come they haven't been included in struts CVS yet ? This is usefull, if your using object relational mapping then it has the potential to cut down ( taking my own stuff as an example ) about 10 lines of code for each already bloated action. The view layer is too heavy. --b On Sat, 25 Sep 2004 11:21:47 -0700, Michael McGrady [EMAIL PROTECTED] wrote: bryan wrote: You want access control, just use acegi security to do it, it's a lot better than anything that's gonna get done here soon. Struts already has enough junk thrown in anyway. Incidentally about the only useful thing I've seen recently is Niall Pemberton's lazy validator forms, how come they haven't been included in struts CVS yet ? Maybe it would be better to concentrate on the usefull stuff first --b What usefull [sic] stuff do you have in mind, Brian? Michael McGrady - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: why not extend struts to support access control?
Also, Bryan (sorry for mispelling your name before) you might like my MappedBean, which had also been up on the StrutsCatalog forever. Michael McGrady bryan wrote: Incidentally about the only useful thing I've seen recently is Niall Pemberton's lazy validator forms, how come they haven't been included in struts CVS yet ? This is usefull, if your using object relational mapping then it has the potential to cut down ( taking my own stuff as an example ) about 10 lines of code for each already bloated action. The view layer is too heavy. --b On Sat, 25 Sep 2004 11:21:47 -0700, Michael McGrady [EMAIL PROTECTED] wrote: bryan wrote: You want access control, just use acegi security to do it, it's a lot better than anything that's gonna get done here soon. Struts already has enough junk thrown in anyway. Incidentally about the only useful thing I've seen recently is Niall Pemberton's lazy validator forms, how come they haven't been included in struts CVS yet ? Maybe it would be better to concentrate on the usefull stuff first --b What usefull [sic] stuff do you have in mind, Brian? Michael McGrady - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: why not extend struts to support access control?
If you check the mailing list archives, you will find a much more eloquent discourse on why Struts should not support access control than I can provide, written by Craig some time ago. The basic reasoning is that there are almost as many solutions to the problem as there are web applications in existence today. These range from those entirely external to the web app to those completely homegrown and tightly integrated with the web app. If we were to decide to add something to Struts, whatever we added would work for some small subset of applications and be irrelevant for the rest. -- Martin Cooper On Sat, 25 Sep 2004 22:47:08 +0800 (CST), ji liu [EMAIL PROTECTED] wrote: when build a large web based application,access control is required.For example user A can't access user B's private imformations.In order to do so,we should code the access control logic in controllers.But when the access control logic is changed,the controlllers will be changed.So someone suggest to use filter.Yes,filter can do this very well.But I think we miss something. when the client want to access a url,validating the input is the first thing application should do.If we use filter,the input maybe invalidate but user get can't access.So we should do this after validate the input,and before perform the action. If I don't use struts,there will be no problem.But I use struts and validator.I hava seen the source code,I can't find a method to implement this mechanism without change the source code. I already get an idea.if the struts-config.xml can support these tags: action path=URL !--action declaration--! access class=className property name=propertyName value=value !--other property--! method name=method1/ !--other method--! access !--other access--! /action This config means when client access URL,the access control will use the class declared in the access element,and use the method decleard in the method element.The properties of the access control class is set by the property element. take a simple config for example: action path=URL !--action declaration--! access class=class1 property name=name value=Ji Liu method name=method1/ method name=method2/ access access class=class2 property name=role value=user method name=method3/ access /action this config means when client requests URL,the application create an object by class1 and set its property name using value Ji Liu.Then use the object's method method1 and method2 to check the rights.After that another object is created by class2,and initialized its property role as user,then use method method3 to check. Obviously,the class used by the config should obey some simples rule. Without edit the source code I already implement this in struts by extend the ActionMapping and RequestProcessor.But the config is so ugly.I have use a string which represent the config. I think struts need to support this. = I apologized to your for may poor English. English isn't my first language.So I think it will be a little bit difficult to understand what I want to express. :) Ji Liu _ Do You Yahoo!? 150MP3 http://cn.rd.yahoo.com/mail_cn/tag/yisou/music/*http://music.yisou.com/ http://cn.rd.yahoo.com/mail_cn/tag/yisou/image/*http://image.yisou.com 1G1000 http://cn.rd.yahoo.com/mail_cn/tag/1g/*http://cn.mail.yahoo.com/event/mail_1g/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: why not extend struts to support access control?
Martin Cooper wrote: If you check the mailing list archives, you will find a much more eloquent discourse on why Struts should not support access control than I can provide, written by Craig some time ago. The basic reasoning is that there are almost as many solutions to the problem as there are web applications in existence today. These range from those entirely external to the web app to those completely homegrown and tightly integrated with the web app. If we were to decide to add something to Struts, whatever we added would work for some small subset of applications and be irrelevant for the rest. -- Martin Cooper Thanx, Martin. Will do! I have not worked in this area, but I have an interest. I am looking forward to what Craig has to say. Michael McGrady - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: why not extend struts to support access control?
At 10:28 PM +0100 9/25/04, Niall Pemberton wrote: First, Struts would need to move its dependency on to BeanUtils 1.7.0 Thats not a bad idea in its own right since using the new beanutils/digester removes the need for Commons Colections. No time like the present, I'd say. We just got a good GA release out the door, so why not forge ahead... Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com In fact, when I die, if I don't hear 'A Love Supreme,' I'll turn back; I'll know I'm in the wrong place. - Carlos Santana
Re: why not extend struts to support access control?
Thanks everyone. Joe Germuska wrote: I think that the problem here is that access control is a pretty multifaceted and potentially complex aspect of an application, and one which is most likely to need to integrate with home-grown systems. I would be happy to look at a proposed API/configuration format and to consider how to make Struts work well with that, but I think it would be a great challenge to come up with a universal API for it. I don't think you need to implement a universal API. You only need to implement a mechanism which makes struts users easy integrate their home-grown access control system. Struts has already support the base authorization of J2EE.Why not support access control? I don't mean to provide a api,but a simple config,just like I have proposed. I write my own classes to check the access rights,and write the config to integrate these to struts.Why I want to integrate these to struts?Because struts does a lot of useful work for me,and I can take advantage of this.For example,I can use formbeans in my access checking class! Why I don't want to use other framework to do this?Because I already have a lot of frameworks used in my projects,and there are a lot of config xml files. Access control system will protect every URL in the application.So I need to config it.But I already config the path in strtuts action mapping.If action mapping in struts is changed,for instance the path element is changed,I have to change the config file which is used by my access control system. If you can do a little work to support this,it will be more easy.In fact,it will not need so much time. Thanks Michael McGrady,he give me some links.In these links, I know there are many people really nead the kind of mechanism. Do this in a simple way,just like the filter.In fact,my design is inspired by the filter.Though filter can do this,but my approach can utilize the struts which already do some work for me.At least I can utilize the struts-config.xml,and no need to write another config file. = Ji Liu _ Do You Yahoo!? 150MP3 http://cn.rd.yahoo.com/mail_cn/tag/yisou/music/*http://music.yisou.com/ http://cn.rd.yahoo.com/mail_cn/tag/yisou/image/*http://image.yisou.com 1G1000 http://cn.rd.yahoo.com/mail_cn/tag/1g/*http://cn.mail.yahoo.com/event/mail_1g/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: why not extend struts to support access control?
Here is what I have done. 1) Extend RequestProcessor and register it in Struts config. 2) Override processPreprocess(...) 3) Put code in there that does what you need to do for access control. I propose that Struts already gives you what you need to do this. The challenge is that Struts doesn't handle the kind of IoC and other dynamic delegation and interceptor stacks like Webwork does, for instance. So adding this kind of declarative or generic feature set for access control to the core Struts code tends to push the envelope a bit, since things are pretty tightly bound. Ben On Sat, 2004-09-25 at 22:11, ji liu wrote: Thanks everyone. Joe Germuska wrote: I think that the problem here is that access control is a pretty multifaceted and potentially complex aspect of an application, and one which is most likely to need to integrate with home-grown systems. I would be happy to look at a proposed API/configuration format and to consider how to make Struts work well with that, but I think it would be a great challenge to come up with a universal API for it. I don't think you need to implement a universal API. You only need to implement a mechanism which makes struts users easy integrate their home-grown access control system. Struts has already support the base authorization of J2EE.Why not support access control? I don't mean to provide a api,but a simple config,just like I have proposed. I write my own classes to check the access rights,and write the config to integrate these to struts.Why I want to integrate these to struts?Because struts does a lot of useful work for me,and I can take advantage of this.For example,I can use formbeans in my access checking class! Why I don't want to use other framework to do this?Because I already have a lot of frameworks used in my projects,and there are a lot of config xml files. Access control system will protect every URL in the application.So I need to config it.But I already config the path in strtuts action mapping.If action mapping in struts is changed,for instance the path element is changed,I have to change the config file which is used by my access control system. If you can do a little work to support this,it will be more easy.In fact,it will not need so much time. Thanks Michael McGrady,he give me some links.In these links, I know there are many people really nead the kind of mechanism. Do this in a simple way,just like the filter.In fact,my design is inspired by the filter.Though filter can do this,but my approach can utilize the struts which already do some work for me.At least I can utilize the struts-config.xml,and no need to write another config file. = Ji Liu _ Do You Yahoo!? 150MP3 http://cn.rd.yahoo.com/mail_cn/tag/yisou/music/*http://music.yisou.com/ http://cn.rd.yahoo.com/mail_cn/tag/yisou/image/*http://image.yisou.com 1G1000 http://cn.rd.yahoo.com/mail_cn/tag/1g/*http://cn.mail.yahoo.com/event/mail_1g/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Benjamin Tomasini NetEverything, Inc. 1-877-270-1391 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: why not extend struts to support access control?
Thank you. I know filter can do this very well.But filter have some drawbacks.I don't know how to express this,because of my poor English. Without struts,I can use a single filter to delegate the request to my access control framework.I have already done this. But when using struts,there will be some redundancies. And I think struts should provide this. May a access control framework which doesn't denpend on struts is more attractive. I want this kind framework. Do you know where can I find one? == Ji Liu From: Frank W. Zammetti (MLists) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Struts Developers List [EMAIL PROTECTED] Subject: Re: why not extend struts to support access control? Date: Sat, 25 Sep 2004 13:12:44 -0400 (EDT) I'm not sure I follow your reasoning... In terms of security, you ALWAYS want a user to be authenticated and validated before ANY application-level code executes, and in my mind, that very much includes input validations. Filters provide this mechanism, before Struts comes into play, which is where it should happen. In an enterprise-class application, the trend, and rightly so I think, is to externalize security, meaning when a URL is requested, the web server hands the user authentication piece off to some handler (like Netegrity Siteminder as an example), so it's not the web server, app server or even a filter that handles checking if a user is valid for each request. Am I missing something that might change my mind? -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com _ MSN Explorer: http://explorer.msn.com/lccn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
