let me put you on track:
1. security is configured on the level of the application server, most of the time this means a configuration file somewhere in a server directory; JBoss has a login-config.xml in the /conf directory, do *not* start writing business operations for managing user authentication! most of the time you will be happy with JAAS
2. you should let the application server take care of managing the logged in user, so you don't need to store the user in the session or anything like that
so what does this mean for AndroMDA applications, such as the ones generated using bpm4struts:
read this: http://galaxy.andromda.org/docs/andromda-bpm4struts-cartridge/howto6.html
when a user tries to access a secured resource the application/web server will automatically direct him to a login page for authentication, if login succeeds the original request is continued
it's possible the user has been authenticated but he still is not authorized to access specific resources, for that the user will need to have the necessary roles
in order to attach roles to a user many different strategies exist, the server might read it from a plain text file, or from a JDBC data-source
in JBoss you will need to configure your security realm in which you explain which login module to use and how to retrieve the user's password and roles, not unlike this:
<application-policy name = "YourRealmName">
<authentication>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/DefaultDS</module-option>
<module-option name = "principalsQuery">SELECT PASSWORD FROM USERS WHERE NAME=?</module-option>
<module-option name = "rolesQuery">SELECT ROLE, 'Roles' FROM USERS WHERE NAME=?</module-option>
</login-module>
</authentication>
</application-policy>
alternatively, bpm4struts can generate roles.properties and users.properties that also can be used by JBoss, refer to the JBoss documentation/forums for more information on how to setup this stuff
good luck -- Wouter
ps: bpm4struts generates a default login page ps2: try setting the following namespace property: <security>true</security>
Nevyx wrote:
Thanks for the answer :-)
How do I then connect this functionality to "my" user-table, or can I get AndroMDA to generate a table definition that I can use (with the rights and everything ) ?
// Mikael
Wouter Zoons wrote:
Nevyx wrote:
Hello,
Does anyone know howto validate that you have logged intop a system before each page.
I have added a LoginSession object, and I would like to validate the existence of these before every action class (is it possible to change what Action class you inherit from so that one can do the validation here or is there another way which this is supposed to be done ?
I have seen that you have some kind of login functionality (with rights...), but I haven't seen how to enable this (I guess that I have to refer to this somehow from my user structure).
Thansk for any help.
// Mikael
try these javadocs:
http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()
http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()
http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)
-- Wouter
ps: it's never needed to extend the action classes or anything like that, since they merely encapsulate process logic (not business logic), customization is done in the controller callbacks
------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 _______________________________________________ Andromda-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/andromda-user
