Re: Design question regarding struts security features
Mohan Radhakrishnan wrote: I think you can also use the role attribute in struts-config.xml and restrict access actions. Tiles has a role attribute too ? though we are not using that. I came across the role tag of tiles as well, but I guess it's suitable only if you want to restrict some area of the user interface (let's say a special panel for administrators). Where can I find more information about the role attribute in struts-config.xml? I couldn't find anything in the Struts User's Guide... Thanks, Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Design question regarding struts security features
Hi Are you only filtering data based on role ? If you are talking about role-based access of views then we are doing something like that 1. You can use Container Manager Authentication and restrict access to URL patterns to only valid users. 2. You can use the vendor-specify XML file to specify roles and groups. (e.g) principals.xml in OC4J 3. You can use a vendor-specific API like the 'DataSourceUserManager' in OC4J to write custom code that can access your tables and do away with hard-coded principals.xml I think you can also use the role attribute in struts-config.xml and restrict access actions. Tiles has a role attribute too ? though we are not using that. Mohan -Original Message- From: Patrick Scheuerer [mailto:[EMAIL PROTECTED] Sent: Monday, December 29, 2003 5:07 AM To: Struts Users List Subject: Design question regarding struts security features Hello everybody, I'm in the process of developing my first Struts application, so forgive me if this question is insulting everybody's intellect. The application I'm working on is a support portal where you can download technical document, drivers etc. The tricky part is, that certain documents should be only accessible to users with a certain role. My idea so far is to put a user object in the session and to evaluate the role (and therefore the access level) of the user for all views that are displaying data which might be restricted. I guess the easiest way would be using a jsp tag like which would retrieve the user object from the session (if it exists) and the then filter the data accordingly. Is there such "security taglib" around? Has anybody worked on a similar scenario? What is the best approach to solve this problem? Is there a best practice for it? Any tips, hints, code snippets are welcome. Thank you very much. Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Design question regarding struts security features
You should be able to do this with standard J2EE security provided by your web container. If you store your user credentials in a database, then you may want to look at SecurityFilter: http://sourceforge.net/projects/securityfilter/ It allows you to leverage standard J2EE security features but provides more flexible authentication. robert > -Original Message- > From: Patrick Scheuerer [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 28, 2003 6:37 PM > To: Struts Users List > Subject: Design question regarding struts security features > > > Hello everybody, > > I'm in the process of developing my first Struts application, so forgive > me if this question is insulting everybody's intellect. > > The application I'm working on is a support portal where you can > download technical document, drivers etc. The tricky part is, that > certain documents should be only accessible to users with a certain role. > > My idea so far is to put a user object in the session and to evaluate > the role (and therefore the access level) of the user for all views that > are displaying data which might be restricted. > I guess the easiest way would be using a jsp tag like > which would retrieve the user object from > the session (if it exists) and the then filter the data accordingly. Is > there such "security taglib" around? > > Has anybody worked on a similar scenario? What is the best approach to > solve this problem? Is there a best practice for it? Any tips, hints, > code snippets are welcome. > > Thank you very much. > > Patrick > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]