RE: Struts Security
xwork supplies a ParameterFilterInterceptor interceptors interceptor name=parameterFilter class=com.opensymphony.xwork2.interceptor.ParameterFilterInterceptor/ i dont see any security considerations here for HDIV-SP1? could you explain which security features/functions would be provided by HDIV-SP1? would HDIV-SP1 be supported by either Freemarker or Velocity template languages? how would existing struts tags incorporate this 'additional' functionality..presumable thru an additional attribute? controller: bean class=org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping/ !-- Most controllers will use the ControllerClassNameHandlerMapping above, but for the index controller we are using ParameterizableViewController, so we must define an explicit mapping for it.-- !-- The index controller. -- bean name=indexController class=org.springframework.web.servlet.mvc.ParameterizableViewController p:viewName=index / bean id=urlMapping class=org.springframework.web.servlet.handler.SimpleUrlHandlerMapping property name=mappings props prop key=/index.htmindexController/prop /props /property /bean what additional controller functionality would HDIV-SP1 provide which is not already provided by spring ParameterizableViewController ? thanks, Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Mon, 24 Aug 2009 16:22:41 +0530 Subject: Struts Security To: user@struts.apache.org I want to integrate Struts2 (2.1.6) with HDIV using SPI ( ProcessingParamter Integaration) define in link below. http://wiki.apache.org/struts/HDIV Is there any source or help avaliable for that. In this link there is integration for Struts 1.3.8. and web application is not downloaded properly given in link. Can any one provides Sample application of Struts2 + HDIV using SPI. -- -- Kamlesh Koringa _ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://windowslive.com/Campaign/SocialNetworking?ocid=PID23285::T:WLMTAGL:ON:WL:en-US:SI_SB_facebook:082009
Re: Struts Security
The answer to your questions is 42. What in the name of the Flying Spaghetti Monster are you talking about? It is not only that you add more questions that are not even related to the topic (FreeMarker, Velocity?). What is HDIV-SP1? not even google finds anything relevant about it. Then on top of that you post code from SPRING MVC examples (taken from here http://wiki.netbeans.org/SpringFileUpload? or http://www.coderanch.com/t/446495/Spring/dispatcher-servlet-xml-works?). In this community we encourage *people* to *help* each other and ask questions freely. People and help are the keywords here, your posts seem generated by a bot/script and are *not* helpful . I have seen you doing the same thing on other open source project mailing lists, would you please be so kind as to spare us your seemingly-random-generated-spam? You are confusing users and adding noise to the mailing list. And no, I can't just ignore you because your rants do confuse users which form the community that we, as struts developers try to help, and spend our free time supporting. musachy On Mon, Aug 24, 2009 at 8:46 AM, Martin Gaintymgai...@hotmail.com wrote: xwork supplies a ParameterFilterInterceptor interceptors interceptor name=parameterFilter class=com.opensymphony.xwork2.interceptor.ParameterFilterInterceptor/ i dont see any security considerations here for HDIV-SP1? could you explain which security features/functions would be provided by HDIV-SP1? would HDIV-SP1 be supported by either Freemarker or Velocity template languages? how would existing struts tags incorporate this 'additional' functionality..presumable thru an additional attribute? controller: bean class=org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping/ !-- Most controllers will use the ControllerClassNameHandlerMapping above, but for the index controller we are using ParameterizableViewController, so we must define an explicit mapping for it. -- !-- The index controller. -- bean name=indexController class=org.springframework.web.servlet.mvc.ParameterizableViewController p:viewName=index / bean id=urlMapping class=org.springframework.web.servlet.handler.SimpleUrlHandlerMapping property name=mappings props prop key=/index.htmindexController/prop /props /property /bean what additional controller functionality would HDIV-SP1 provide which is not already provided by spring ParameterizableViewController ? thanks, Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Mon, 24 Aug 2009 16:22:41 +0530 Subject: Struts Security To: user@struts.apache.org I want to integrate Struts2 (2.1.6) with HDIV using SPI ( ProcessingParamter Integaration) define in link below. http://wiki.apache.org/struts/HDIV Is there any source or help avaliable for that. In this link there is integration for Struts 1.3.8. and web application is not downloaded properly given in link. Can any one provides Sample application of Struts2 + HDIV using SPI. -- -- Kamlesh Koringa _ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://windowslive.com/Campaign/SocialNetworking?ocid=PID23285::T:WLMTAGL:ON:WL:en-US:SI_SB_facebook:082009 -- Hey you! Would you help me to carry the stone? Pink Floyd - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts Security
Musachy Barroso wrote: The answer to your questions is 42. What in the name of the Flying Spaghetti Monster are you talking about? Ramen. Dave - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts Security
Hot Div Injection Vector - Service Pack 1 : a little know DHTML library used exclusively by porn link aggregator sites. I am surprised you didn't know that. and Martin, I am so busy that I only make it back here periodically, but it seems like everytime I do Musachy is giving you a beat down about another total fail post. It reminds me of a famous SNL skit with William Shatner, Shatner, I think you are the most ridiculously terrible actor ever born on this Earth, and I get a thousand letters a day telling me the same thing.. To which Shatner replies, What is the word on the street about me?. *sigh*. Musachy Barroso wrote: The answer to your questions is 42. What in the name of the Flying Spaghetti Monster are you talking about? It is not only that you add more questions that are not even related to the topic (FreeMarker, Velocity?). What is HDIV-SP1? not even google finds anything relevant about it. Then on top of that you post code from SPRING MVC examples (taken from here http://wiki.netbeans.org/SpringFileUpload? or http://www.coderanch.com/t/446495/Spring/dispatcher-servlet-xml-works?). In this community we encourage *people* to *help* each other and ask questions freely. People and help are the keywords here, your posts seem generated by a bot/script and are *not* helpful . I have seen you doing the same thing on other open source project mailing lists, would you please be so kind as to spare us your seemingly-random-generated-spam? You are confusing users and adding noise to the mailing list. And no, I can't just ignore you because your rants do confuse users which form the community that we, as struts developers try to help, and spend our free time supporting. musachy On Mon, Aug 24, 2009 at 8:46 AM, Martin Gaintymgai...@hotmail.com wrote: xwork supplies a ParameterFilterInterceptor interceptors interceptor name=parameterFilter class=com.opensymphony.xwork2.interceptor.ParameterFilterInterceptor/ i dont see any security considerations here for HDIV-SP1? could you explain which security features/functions would be provided by HDIV-SP1? would HDIV-SP1 be supported by either Freemarker or Velocity template languages? how would existing struts tags incorporate this 'additional' functionality..presumable thru an additional attribute? controller: bean class=org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping/ !-- Most controllers will use the ControllerClassNameHandlerMapping above, but for the index controller we are using ParameterizableViewController, so we must define an explicit mapping for it. -- !-- The index controller. -- bean name=indexController class=org.springframework.web.servlet.mvc.ParameterizableViewController p:viewName=index / bean id=urlMapping class=org.springframework.web.servlet.handler.SimpleUrlHandlerMapping property name=mappings props prop key=/index.htmindexController/prop /props /property /bean what additional controller functionality would HDIV-SP1 provide which is not already provided by spring ParameterizableViewController ? thanks, Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Mon, 24 Aug 2009 16:22:41 +0530 Subject: Struts Security To: user@struts.apache.org I want to integrate Struts2 (2.1.6) with HDIV using SPI ( ProcessingParamter Integaration) define in link below. http://wiki.apache.org/struts/HDIV Is there any source or help avaliable for that. In this link there is integration for Struts 1.3.8. and web application is not downloaded properly given in link. Can any one provides Sample application of Struts2 + HDIV using SPI. -- -- Kamlesh Koringa _ Windows Live: Make it easier for your friends to see what you’re up to on
RE: Struts - Security
Ditto on Spring Security, very nice for URL auth. -Original Message- From: Dale Newfield [mailto:d...@newfield.org] Sent: Saturday, August 08, 2009 12:02 PM To: Struts Users Mailing List Subject: Re: Struts - Security Kamlesh Koringa wrote: - URL encryption (no one can modify generated URL). Impossible. You cannot prevent people from requesting URLs your system does not present to them. You should assume that any parameter that you accept from a user can be manipulated at will by that user. You can jump through hoops to make valid alternate values difficult to guess, but that's it. You should always check the inputs and make sure that the requested action is a valid one for that user before allowing the requested action to continue. - URL authorization. Spring Security formerly known as acegi. -Dale - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: Struts - Security
QueryCryptSessionListener handles authentication http://www.theserverside.com/news/thread.tss?thread_id=36841 BASIC URL authorization can be achieved thru predefined roles from tomcat-users http://www.informit.com/articles/article.aspx?p=24600 i assume you're using TC? Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Sat, 8 Aug 2009 11:22:06 +0530 Subject: Struts - Security To: user@struts.apache.org Hi I am searching for good security frameworks for Struts2. I have tried for HDIV http://www.hdiv.org. It is good framework but support up to Struts 2.0.11 not Struts-2.1.6. So please help me to find any other framework or any other way to solve security related issues. My main concorns are. - URL encryption ( no one can modify generated URL). - URL authorization. Thanks -- Kamlesh Koringa _ Get back to school stuff for them and cashback for you. http://www.bing.com/cashback?form=MSHYCBpubl=WLHMTAGcrea=TEXT_MSHYCB_BackToSchool_Cashback_BTSCashback_1x1
Re: Struts - Security
Thanks Martin for your reply I have checked QueryCrypt. It only works with Static URL generated from Server side to encrypt Parameters. And I am doubt will it work with Struts2 tag. For that I have to use scriplet to get All paramters and encrypt it and generate encrypted Parameters. If i not wrong s:a / will not allow to use scriptlet. So I have to use simple html tag for generate URL. Is there any other way to do this. Thanks Kamlesh On Sat, Aug 8, 2009 at 5:59 PM, Martin Gainty mgai...@hotmail.com wrote: QueryCryptSessionListener handles authentication http://www.theserverside.com/news/thread.tss?thread_id=36841 BASIC URL authorization can be achieved thru predefined roles from tomcat-users http://www.informit.com/articles/article.aspx?p=24600 i assume you're using TC? Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Sat, 8 Aug 2009 11:22:06 +0530 Subject: Struts - Security To: user@struts.apache.org Hi I am searching for good security frameworks for Struts2. I have tried for HDIV http://www.hdiv.org. It is good framework but support up to Struts 2.0.11 not Struts-2.1.6. So please help me to find any other framework or any other way to solve security related issues. My main concorns are. - URL encryption ( no one can modify generated URL). - URL authorization. Thanks -- Kamlesh Koringa _ Get back to school stuff for them and cashback for you. http://www.bing.com/cashback?form=MSHYCBpubl=WLHMTAGcrea=TEXT_MSHYCB_BackToSchool_Cashback_BTSCashback_1x1
RE: Struts - Security
one way of achieving this is to assign the href attr of anchor to a scoped variable % java.net.URL =new java.net.URL(http://java.sun.com/index.html;); ActionContext.getContext().getSession().put(testUrlId, url); % s:a href=#session.testUrlId anyone else? Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Sat, 8 Aug 2009 18:37:09 +0530 Subject: Re: Struts - Security To: user@struts.apache.org Thanks Martin for your reply I have checked QueryCrypt. It only works with Static URL generated from Server side to encrypt Parameters. And I am doubt will it work with Struts2 tag. For that I have to use scriplet to get All paramters and encrypt it and generate encrypted Parameters. If i not wrong s:a / will not allow to use scriptlet. So I have to use simple html tag for generate URL. Is there any other way to do this. Thanks Kamlesh On Sat, Aug 8, 2009 at 5:59 PM, Martin Gainty mgai...@hotmail.com wrote: QueryCryptSessionListener handles authentication http://www.theserverside.com/news/thread.tss?thread_id=36841 BASIC URL authorization can be achieved thru predefined roles from tomcat-users http://www.informit.com/articles/article.aspx?p=24600 i assume you're using TC? Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Sat, 8 Aug 2009 11:22:06 +0530 Subject: Struts - Security To: user@struts.apache.org Hi I am searching for good security frameworks for Struts2. I have tried for HDIV http://www.hdiv.org. It is good framework but support up to Struts 2.0.11 not Struts-2.1.6. So please help me to find any other framework or any other way to solve security related issues. My main concorns are. - URL encryption ( no one can modify generated URL). - URL authorization. Thanks -- Kamlesh Koringa _ Get back to school stuff for them and cashback for you. http://www.bing.com/cashback?form=MSHYCBpubl=WLHMTAGcrea=TEXT_MSHYCB_BackToSchool_Cashback_BTSCashback_1x1 _ Get your vacation photos on your phone! http://windowsliveformobile.com/en-us/photos/default.aspx?OCID=0809TL-HM
Re: Struts - Security
Kamlesh Koringa wrote: - URL encryption (no one can modify generated URL). Impossible. You cannot prevent people from requesting URLs your system does not present to them. You should assume that any parameter that you accept from a user can be manipulated at will by that user. You can jump through hoops to make valid alternate values difficult to guess, but that's it. You should always check the inputs and make sure that the requested action is a valid one for that user before allowing the requested action to continue. - URL authorization. Spring Security formerly known as acegi. -Dale - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: Struts - Security
looks like you might want to code your own logic to scan for those manipulated URL params..like the URL which contains the dreaded /WEB-INF (and as dale suggested scan URLs to reference known .action) Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Sat, 8 Aug 2009 12:01:39 -0400 From: d...@newfield.org To: user@struts.apache.org Subject: Re: Struts - Security Kamlesh Koringa wrote: - URL encryption (no one can modify generated URL). Impossible. You cannot prevent people from requesting URLs your system does not present to them. You should assume that any parameter that you accept from a user can be manipulated at will by that user. You can jump through hoops to make valid alternate values difficult to guess, but that's it. You should always check the inputs and make sure that the requested action is a valid one for that user before allowing the requested action to continue. - URL authorization. Spring Security formerly known as acegi. -Dale - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org _ Get your vacation photos on your phone! http://windowsliveformobile.com/en-us/photos/default.aspx?OCID=0809TL-HM
Re: struts security
Do it like you would for any servlet. Either apply a security constraint to struts servlet itself or apply security constraints to url path (applying a security constraint to /admin/* applies also to /admin/someStrutsAction.do) Jubin Kuriakose a écrit : Hi all Can ayone give me links related to implemnting security-contraints(from web.xml) and struts together. I googled without any success. thnx jubs - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: struts security
Hi David
I did do that ...
security-constraint
web-resource-collection
web-resource-namefather/web-resource-name
descriptionSecurity/description
url-pattern/father/*/url-pattern
http-methodGET/http-method
http-methodPOST/http-method
/web-resource-collection
auth-constraint
role-nameadmin/role-name
/auth-constraint
user-data-constraint
transport-guaranteeNONE/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/auth.do/form-login-page
form-error-page/admin/error.jsp/form-error-page
/form-login-config
/login-config
security-role
role-nameadmin/role-name
/security-role
and my authentication is diverted to an action class which carries out the
actual checking.
Here is auth.jsp that calls the AuthAction
html:form action=authAction
TABLE width=100% border=0 cellspacing=0 cellpadding=5
TR align=center
TD align=right class=Prompt/TD
TD align=left
html:text property=j_username
maxlength=20/html:text
/TD
/TR
TR align=center
TD align=right class=PromptUsername/TD
TD align=left
html:text property=j_password
maxlength=20/html:textBR
/TD
/TR
TR align=center
TD align=right class=PromptPassword/TD
TD align=left
html:submit value=Login/html:submit
/TD
/TR
/TABLE
/html:form
the action class is here
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) throws Exception {
String username = ((DynaActionForm)form).getString(j_username);
String password = ((DynaActionForm)form).getString(j_password);
System.out.println(Authentication execute called);
try {
SecurityAssociationHandler handler = new
SecurityAssociationHandler();
SimplePrincipal user = new SimplePrincipal(username);
handler.setSecurityInfo(user, password.toCharArray());
LoginContext loginContext = new LoginContext(example,
(CallbackHandler) handler);
loginContext.login();
Subject subject = loginContext.getSubject();
System.out.println(Subject-- + subject.toString());
SetPrincipal principals = subject.getPrincipals();
principals.add(user);
request.getSession(false).setAttribute(login,subject);
} catch (LoginException e) {
// TODO: handle exception
System.out.println(LoginException);
return mapping.findForward(error);
}
return mapping.findForward(father);
}
and it works fine. Each time a request comes to url /father/* the
auth.jspis called, even if I was authorised the first time.
Meaning I have to authenticate myself every time I acess anything in
/father/ . how do i get over this behaviour and only authenticate my self
only once...
thnks for any help
On 3/14/06, David Delbecq [EMAIL PROTECTED] wrote:
Do it like you would for any servlet. Either apply a security constraint
to struts servlet itself or apply security constraints to url path
(applying a security constraint to /admin/* applies also to
/admin/someStrutsAction.do)
Jubin Kuriakose a écrit :
Hi all
Can ayone give me links related to implemnting security-contraints(from
web.xml) and struts together. I googled without any success.
thnx jubs
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: struts security
Am sorry but that's not how form based authentification works in j2ee.
We you are not authenticated, the container redirects your to
form-login-page
This page must contain a form with 2 fields : j_username and
j_password. The form action MUST be of type POST and the target MUST be
j_security_check (this is a special url that will be handled by
container, you can not map any servlet there).
example:
form method=POST action=j_security_check
table
tr
tdLogin :/td
tdinput type=text name=j_username/td
/tr
tr
tdMot de passe :/td
tdinput type=password name=j_password/td
/tr
tr
tdinput type=submit value=Entrer !/td
tdinput type=reset value=Annuler/td
/tr
/table
/form
if you use any action other than j_security_check, this will be handled
like any other url query, and no authentification will take place.
The reason you are having father - login form - father apparently
working, is simply because struts does a forward after action, which
take place internally and so is not concerned about the security
constraints.
Jubin Kuriakose a écrit :
Hi David
I did do that ...
security-constraint
web-resource-collection
web-resource-namefather/web-resource-name
descriptionSecurity/description
url-pattern/father/*/url-pattern
http-methodGET/http-method
http-methodPOST/http-method
/web-resource-collection
auth-constraint
role-nameadmin/role-name
/auth-constraint
user-data-constraint
transport-guaranteeNONE/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/auth.do/form-login-page
form-error-page/admin/error.jsp/form-error-page
/form-login-config
/login-config
security-role
role-nameadmin/role-name
/security-role
and my authentication is diverted to an action class which carries out the
actual checking.
Here is auth.jsp that calls the AuthAction
html:form action=authAction
TABLE width=100% border=0 cellspacing=0 cellpadding=5
TR align=center
TD align=right class=Prompt/TD
TD align=left
html:text property=j_username
maxlength=20/html:text
/TD
/TR
TR align=center
TD align=right class=PromptUsername/TD
TD align=left
html:text property=j_password
maxlength=20/html:textBR
/TD
/TR
TR align=center
TD align=right class=PromptPassword/TD
TD align=left
html:submit value=Login/html:submit
/TD
/TR
/TABLE
/html:form
the action class is here
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) throws Exception {
String username = ((DynaActionForm)form).getString(j_username);
String password = ((DynaActionForm)form).getString(j_password);
System.out.println(Authentication execute called);
try {
SecurityAssociationHandler handler = new
SecurityAssociationHandler();
SimplePrincipal user = new SimplePrincipal(username);
handler.setSecurityInfo(user, password.toCharArray());
LoginContext loginContext = new LoginContext(example,
(CallbackHandler) handler);
loginContext.login();
Subject subject = loginContext.getSubject();
System.out.println(Subject-- + subject.toString());
SetPrincipal principals = subject.getPrincipals();
principals.add(user);
request.getSession(false).setAttribute(login,subject);
} catch (LoginException e) {
// TODO: handle exception
System.out.println(LoginException);
return mapping.findForward(error);
}
return mapping.findForward(father);
}
and it works fine. Each time a request comes to url /father/* the
auth.jspis called, even if I was authorised the first time.
Meaning I have to authenticate myself every time I acess anything in
/father/ . how do i get over this behaviour and only authenticate my self
only once...
thnks for any help
On 3/14/06, David Delbecq [EMAIL PROTECTED] wrote:
Do it like you would for any servlet. Either apply a security constraint
to struts servlet itself or apply security constraints to url path
(applying a security constraint to /admin/* applies also to
/admin/someStrutsAction.do)
Jubin Kuriakose a écrit :
Hi all
Can ayone give me links related to implemnting security-contraints(from
web.xml) and struts together. I googled without any success.
thnx jubs
-
To
Re: struts security
oh...
Supposing i did use j_security_check to authenticate. how do i check if the
user is authenticated at a later stage and is it possible to
programmitically remove his permission.
thnx
On 3/14/06, David Delbecq [EMAIL PROTECTED] wrote:
Am sorry but that's not how form based authentification works in j2ee.
We you are not authenticated, the container redirects your to
form-login-page
This page must contain a form with 2 fields : j_username and
j_password. The form action MUST be of type POST and the target MUST be
j_security_check (this is a special url that will be handled by
container, you can not map any servlet there).
example:
form method=POST action=j_security_check
table
tr
tdLogin :/td
tdinput type=text name=j_username/td
/tr
tr
tdMot de passe :/td
tdinput type=password name=j_password/td
/tr
tr
tdinput type=submit value=Entrer !/td
tdinput type=reset value=Annuler/td
/tr
/table
/form
if you use any action other than j_security_check, this will be handled
like any other url query, and no authentification will take place.
The reason you are having father - login form - father apparently
working, is simply because struts does a forward after action, which
take place internally and so is not concerned about the security
constraints.
Jubin Kuriakose a écrit :
Hi David
I did do that ...
security-constraint
web-resource-collection
web-resource-namefather/web-resource-name
descriptionSecurity/description
url-pattern/father/*/url-pattern
http-methodGET/http-method
http-methodPOST/http-method
/web-resource-collection
auth-constraint
role-nameadmin/role-name
/auth-constraint
user-data-constraint
transport-guaranteeNONE/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/auth.do/form-login-page
form-error-page/admin/error.jsp/form-error-page
/form-login-config
/login-config
security-role
role-nameadmin/role-name
/security-role
and my authentication is diverted to an action class which carries out
the
actual checking.
Here is auth.jsp that calls the AuthAction
html:form action=authAction
TABLE width=100% border=0 cellspacing=0 cellpadding=5
TR align=center
TD align=right class=Prompt/TD
TD align=left
html:text property=j_username
maxlength=20/html:text
/TD
/TR
TR align=center
TD align=right class=PromptUsername/TD
TD align=left
html:text property=j_password
maxlength=20/html:textBR
/TD
/TR
TR align=center
TD align=right class=PromptPassword/TD
TD align=left
html:submit value=Login/html:submit
/TD
/TR
/TABLE
/html:form
the action class is here
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) throws
Exception {
String username =
((DynaActionForm)form).getString(j_username);
String password =
((DynaActionForm)form).getString(j_password);
System.out.println(Authentication execute called);
try {
SecurityAssociationHandler handler = new
SecurityAssociationHandler();
SimplePrincipal user = new SimplePrincipal(username);
handler.setSecurityInfo(user, password.toCharArray());
LoginContext loginContext = new LoginContext(example,
(CallbackHandler) handler);
loginContext.login();
Subject subject = loginContext.getSubject();
System.out.println(Subject-- + subject.toString());
SetPrincipal principals = subject.getPrincipals();
principals.add(user);
request.getSession(false).setAttribute(login,subject);
} catch (LoginException e) {
// TODO: handle exception
System.out.println(LoginException);
return mapping.findForward(error);
}
return mapping.findForward(father);
}
and it works fine. Each time a request comes to url /father/* the
auth.jspis called, even if I was authorised the first time.
Meaning I have to authenticate myself every time I acess anything in
/father/ . how do i get over this behaviour and only authenticate my self
only once...
thnks for any help
On 3/14/06, David Delbecq [EMAIL PROTECTED] wrote:
Do it like you would for any servlet. Either apply a security constraint
to struts servlet itself or apply security constraints to url path
Re: struts security
Jubin Kuriakose a écrit :
oh...
Supposing i did use j_security_check to authenticate. how do i check if the
user is authenticated at a later stage
request.getUserPrincipal() returns a non-null value
and is it possible to programmitically remove his permission.
Not really. Once user has been authenticated it's written in his
session. Some people have had success by clearing the user session, but
this behaviour is container dependent as, unfortunatly, j2ee specs did
not provide for such a mechanism.
thnx
On 3/14/06, David Delbecq [EMAIL PROTECTED] wrote:
Am sorry but that's not how form based authentification works in j2ee.
We you are not authenticated, the container redirects your to
form-login-page
This page must contain a form with 2 fields : j_username and
j_password. The form action MUST be of type POST and the target MUST be
j_security_check (this is a special url that will be handled by
container, you can not map any servlet there).
example:
form method=POST action=j_security_check
table
tr
tdLogin :/td
tdinput type=text name=j_username/td
/tr
tr
tdMot de passe :/td
tdinput type=password name=j_password/td
/tr
tr
tdinput type=submit value=Entrer !/td
tdinput type=reset value=Annuler/td
/tr
/table
/form
if you use any action other than j_security_check, this will be handled
like any other url query, and no authentification will take place.
The reason you are having father - login form - father apparently
working, is simply because struts does a forward after action, which
take place internally and so is not concerned about the security
constraints.
Jubin Kuriakose a écrit :
Hi David
I did do that ...
security-constraint
web-resource-collection
web-resource-namefather/web-resource-name
descriptionSecurity/description
url-pattern/father/*/url-pattern
http-methodGET/http-method
http-methodPOST/http-method
/web-resource-collection
auth-constraint
role-nameadmin/role-name
/auth-constraint
user-data-constraint
transport-guaranteeNONE/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/auth.do/form-login-page
form-error-page/admin/error.jsp/form-error-page
/form-login-config
/login-config
security-role
role-nameadmin/role-name
/security-role
and my authentication is diverted to an action class which carries out
the
actual checking.
Here is auth.jsp that calls the AuthAction
html:form action=authAction
TABLE width=100% border=0 cellspacing=0 cellpadding=5
TR align=center
TD align=right class=Prompt/TD
TD align=left
html:text property=j_username
maxlength=20/html:text
/TD
/TR
TR align=center
TD align=right class=PromptUsername/TD
TD align=left
html:text property=j_password
maxlength=20/html:textBR
/TD
/TR
TR align=center
TD align=right class=PromptPassword/TD
TD align=left
html:submit value=Login/html:submit
/TD
/TR
/TABLE
/html:form
the action class is here
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) throws
Exception {
String username =
((DynaActionForm)form).getString(j_username);
String password =
((DynaActionForm)form).getString(j_password);
System.out.println(Authentication execute called);
try {
SecurityAssociationHandler handler = new
SecurityAssociationHandler();
SimplePrincipal user = new SimplePrincipal(username);
handler.setSecurityInfo(user, password.toCharArray());
LoginContext loginContext = new LoginContext(example,
(CallbackHandler) handler);
loginContext.login();
Subject subject = loginContext.getSubject();
System.out.println(Subject-- + subject.toString());
SetPrincipal principals = subject.getPrincipals();
principals.add(user);
request.getSession(false).setAttribute(login,subject);
} catch (LoginException e) {
// TODO: handle exception
System.out.println(LoginException);
return mapping.findForward(error);
}
return mapping.findForward(father);
}
and it works fine. Each time a request comes to url /father/* the
auth.jspis called, even if I was authorised the first time.
Meaning I have to authenticate myself every time I acess anything in
/father/ . how do i get over this behaviour and only authenticate my self
only
Re: struts security
At first glance at your code it looks like you might need to add a role principal after you've added the user.. But on consideration i dont think that the user principal is going to be added to the session in such a way as you can get to the principal using request.getUserPrincipal() and is user in role business. If you want to do things the servlet spec way and you're intent on using jaas to do this then you're going to have to write a jaas login module that you configure in your container (e.g. tomcat). I dont think the sesssion attribute name is defined in the servlet spec, if i'm correct then session.setAttribute(keyName,Principal) isn't going to help you much. Each vendor (again i think from what i read) can implement the security as they see fit. The only thing they must to is provide a means of configuring realms and that a request that the matches j_security_check, j_username, j_password stuff. To be a compliant container when you make such a request the container must have a configuarable means of authenicating. Now where jaas comes into it is that jaas like the servlet spec is a standard, and thus vendor support is likely to be there. But not all realm authentification is jaas. In a lot of cases a datasource/jdbc realm that come with most containers will do the job. But if this isn't the case then it might be easier writing a jaas loginmodule and then wiring it into the container, along with the jaas configuartion that you need to define using the java.security.auth.login.config property.. If you're authenticating against a database, then dont get bogged down with jaas, and use the a datasource realm. Assuming you configure it correctly you'll have all the request.getUserPrincipal() and isUserInRole stuff to use in your webapp. http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html In most case you dont need jaas, if you're activating the security manager then you'd need to have a pretty good grasp of all this stuff. And from what i see not many folk bother with the security manager. I guess the question is what are you authenticating against? and which container are you using? Mark On 3/14/06, Jubin Kuriakose [EMAIL PROTECTED] wrote: Hi all Can ayone give me links related to implemnting security-contraints(from web.xml) and struts together. I googled without any success. thnx jubs - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
Cheers for all the advice. I have already implemented JDBCRealm but have decided to try out the SecurityFilter (as recommended) to see for myself what it is like and what additional features it offers. Unfortunatley I've had a few problems setting up the securityfilter... To start off with Tomcat always displayed the following message during startup: 'SEVERE: Error filterStart'. Following on from advice I recieved on the securityfilter help forum I tried adding Catalina.jar to Tomcat's classpath. This resulted in NoClassDefFoundError: org/apache/commons/digester/RuleSet, which I fixed by adding common-digester.jar to Tomcat's classpath. Now when I run Tomcat I get the following error: java.lang.NoClassDefFoundError: org/apache/tomcat/util/log/SystemLogHandler at java.lang.Class.getDeclaredConstructors0(Native Method) snip/ I've searched through a number of *.jar files on my machine and looked on Google, but can not find out which *.jar contains the SystemLogHandler class file. If anyone can tell me which files I need to add to the classpath, or indeed if it sounds like I've configured some part of my application incorrectly, then I'd really appreciate some of your input. Thank you in advance (once again), Tim Christopher - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts Security
Hi
1. It means that any authentication token will not be propagated to a
J2EE EJB server.
2. When using the role attribute with tiles, it will pick up what you
have defined in SecurityFilter
Hermod
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 27, 2005 11:05 AM
To: Struts Users Mailing List
Subject: Re: Struts Security
Hi,
I've never used EJB so have no idea what this means, can someone explain
please?
When SecurityFilter is used, a user's Principal will not
automatically be propagated to EJB calls. If this is a requirement for
your application, you may not be able to use SecurityFilter.
Also, (as above) I'm using JDBCRealm to authenticate clients. I then
have a tile which contains all the menu settings; I use the present
roles to check for which features should be loaded How easy would
it be to implement this using the SecurityFilter - does anyone know of
a good tutorial?
Cheers,
Tim
On Thu, 27 Jan 2005 08:25:14 +0100, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
Hi
Take a look at SecurityFilter - http://securityfilter.sourceforge.net/
Works like a charm with Tomcat and JDBC realms. Then you do REAL
declarative security - No coding needed.
Hermod
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Thursday, January 27, 2005 6:31 AM
To: user@struts.apache.org
Subject: RE: Struts Security
I think the logic:present tag will allow access to any of the roles
mentioned.
Mohan
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 27, 2005 9:41 AM
To: Struts Users Mailing List
Subject: Re: Struts Security
Just a quick question... What is gained by using code like this:
String[] roles = mapping.getRoleNames();
if(roles == null || roles.length == 0)
return true
for(int i=0; iroles.length; i++) {
if(request.isUserInRole(roles[i])) {
return true;
}
}
return false;
...isn't that the same as logic:present role=roleA, roleB, roleG?
Or is that a check for all roles: roleA, roleB, and roleG?
Tim
On Wed, 26 Jan 2005 20:27:22 -0700, Nic Holbrook [EMAIL PROTECTED]
wrote:
I forgot to mention the reason I did this was because we already had
a
security mechanism in place and didn't have the liberty of using
realms on the web or anything like that. It had to be a custom
configuration.
Nic Holbrook wrote:
I kind of set our security up before the struts menu was in place.
What I have done that seems to work well so far is extend the
Action
class with a SecureAction class that validates the users role
before
it lets the user into an action. The execute method actually
validates and calls an abstract secureExecute (which is now the
main
struts method) if the user is in the role. I set a roleId in the
struts-config.xml for each action which really isn't a big deal
(set-property property=actionRole value=700/). That way the
role is set up 1 time for each action. You can use the same role
for several actions of you like. When the user logs in, I
retrieve
all the roles allowed for that user and store it in a UserContext
object in the session. I then have a menu tag that dynamically
builds the menu for them which isn't that difficult to set up. I
use it in a tile so I only insert it 1 time.
Just some ideas.
Craig McClanahan wrote:
On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher
[EMAIL PROTECTED] wrote:
Hi,
I am designing a web application using Struts, which will run
using Tomcat. The system will have upwards of 1000 users, with
each user having any number of around 10 possible roles.
I'm currently thinking of using JDBCRealm within the Tomcat xml
file to set the roles for each of the users, then extending the
RequestProcessor to ensure only authorised users can enter the
secure area. I then have a number of menu options that should
only be made visible to users with certain roles; I intend to
use
logic:present role=.. or req:isUserInRole role=... to do
this
- from what I can see they are functionally identical(?).
The implementation of logic:present role= uses
request.isUserInRole() under the covers :-).
I guess what I'd like to know is:
* Will this approach actually work?
Yep.
* Is there a better way?
This sounds best for your use case.
* Will any changes to user roles made within the database
automatically update the roles that tomcat uses from the
JDBCRealm, or will it require a server restart?
Tomcat's JDBCRealm caches the relevant roles for a user when he
or
she logs on, so they won't change for the length of that session
... but changes will get reflected next time the same person logs
on.
* Also if I use a check
Re: Struts Security
Hi,
I've never used EJB so have no idea what this means, can someone explain please?
When SecurityFilter is used, a user's Principal will not
automatically be propagated to EJB calls. If this is a requirement for
your application, you may not be able to use SecurityFilter.
Also, (as above) I'm using JDBCRealm to authenticate clients. I then
have a tile which contains all the menu settings; I use the present
roles to check for which features should be loaded How easy would
it be to implement this using the SecurityFilter - does anyone know of
a good tutorial?
Cheers,
Tim
On Thu, 27 Jan 2005 08:25:14 +0100, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
Hi
Take a look at SecurityFilter - http://securityfilter.sourceforge.net/
Works like a charm with Tomcat and JDBC realms. Then you do REAL
declarative security - No coding needed.
Hermod
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Thursday, January 27, 2005 6:31 AM
To: user@struts.apache.org
Subject: RE: Struts Security
I think the logic:present tag will allow access to any of the roles
mentioned.
Mohan
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 27, 2005 9:41 AM
To: Struts Users Mailing List
Subject: Re: Struts Security
Just a quick question... What is gained by using code like this:
String[] roles = mapping.getRoleNames();
if(roles == null || roles.length == 0)
return true
for(int i=0; iroles.length; i++) {
if(request.isUserInRole(roles[i])) {
return true;
}
}
return false;
...isn't that the same as logic:present role=roleA, roleB, roleG?
Or is that a check for all roles: roleA, roleB, and roleG?
Tim
On Wed, 26 Jan 2005 20:27:22 -0700, Nic Holbrook [EMAIL PROTECTED]
wrote:
I forgot to mention the reason I did this was because we already had a
security mechanism in place and didn't have the liberty of using
realms on the web or anything like that. It had to be a custom
configuration.
Nic Holbrook wrote:
I kind of set our security up before the struts menu was in place.
What I have done that seems to work well so far is extend the Action
class with a SecureAction class that validates the users role before
it lets the user into an action. The execute method actually
validates and calls an abstract secureExecute (which is now the main
struts method) if the user is in the role. I set a roleId in the
struts-config.xml for each action which really isn't a big deal
(set-property property=actionRole value=700/). That way the
role is set up 1 time for each action. You can use the same role
for several actions of you like. When the user logs in, I retrieve
all the roles allowed for that user and store it in a UserContext
object in the session. I then have a menu tag that dynamically
builds the menu for them which isn't that difficult to set up. I
use it in a tile so I only insert it 1 time.
Just some ideas.
Craig McClanahan wrote:
On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher
[EMAIL PROTECTED] wrote:
Hi,
I am designing a web application using Struts, which will run
using Tomcat. The system will have upwards of 1000 users, with
each user having any number of around 10 possible roles.
I'm currently thinking of using JDBCRealm within the Tomcat xml
file to set the roles for each of the users, then extending the
RequestProcessor to ensure only authorised users can enter the
secure area. I then have a number of menu options that should
only be made visible to users with certain roles; I intend to use
logic:present role=.. or req:isUserInRole role=... to do this
- from what I can see they are functionally identical(?).
The implementation of logic:present role= uses
request.isUserInRole() under the covers :-).
I guess what I'd like to know is:
* Will this approach actually work?
Yep.
* Is there a better way?
This sounds best for your use case.
* Will any changes to user roles made within the database
automatically update the roles that tomcat uses from the
JDBCRealm, or will it require a server restart?
Tomcat's JDBCRealm caches the relevant roles for a user when he or
she logs on, so they won't change for the length of that session
... but changes will get reflected next time the same person logs
on.
* Also if I use a check within the jsp like logic:present
role=..
to decide if a component should be dispalyed, I have read it is
also advisable to require to presence of a role to use the Action.
This method will require two updates to allow an additional an
additional role to access a resource (update in the jsp, and in
the xml file) - is there a way around this?
You can
Re: Struts Security
At 10:05 AM + 1/27/05, Tim Christopher wrote: Hi, I've never used EJB so have no idea what this means, can someone explain please? When SecurityFilter is used, a user's Principal will not automatically be propagated to EJB calls. If this is a requirement for your application, you may not be able to use SecurityFilter. If you don't use EJB, then it's not an issue for you, but part of the appeal of container managed security is that it makes the same java.security.Principal (representing the authenticated user) available to both the servlet and the EJB layer code. I haven't used SecurityFilter before, but it looks handy. My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com Narrow minds are weapons made for mass destruction -The Ex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts Security
Joe - Your comment My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. struck a chord with me - it's one of the reasons I've never looked at implementing CMS. How do you handle this? Roll your own? Jerry Jalenak Senior Programmer / Analyst, Web Publishing LabOne, Inc. 10101 Renner Blvd. Lenexa, KS 66219 (913) 577-1496 [EMAIL PROTECTED] -Original Message- From: Joe Germuska [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 9:32 AM To: Tim Christopher; Struts Users Mailing List Subject: Re: Struts Security At 10:05 AM + 1/27/05, Tim Christopher wrote: Hi, I've never used EJB so have no idea what this means, can someone explain please? When SecurityFilter is used, a user's Principal will not automatically be propagated to EJB calls. If this is a requirement for your application, you may not be able to use SecurityFilter. If you don't use EJB, then it's not an issue for you, but part of the appeal of container managed security is that it makes the same java.security.Principal (representing the authenticated user) available to both the servlet and the EJB layer code. I haven't used SecurityFilter before, but it looks handy. My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com Narrow minds are weapons made for mass destruction -The Ex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This transmission (and any information attached to it) may be confidential and is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient or the person responsible for delivering the transmission to the intended recipient, be advised that you have received this transmission in error and that any use, dissemination, forwarding, printing, or copying of this information is strictly prohibited. If you have received this transmission in error, please immediately notify LabOne at the following email address: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts Security
Joe - Your comment My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. struck a chord with me - it's one of the reasons I've never looked at implementing CMS. How do you handle this? Roll your own? Jerry Jalenak Senior Programmer / Analyst, Web Publishing LabOne, Inc. 10101 Renner Blvd. Lenexa, KS 66219 (913) 577-1496 [EMAIL PROTECTED] -Original Message- From: Joe Germuska [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 9:32 AM To: Tim Christopher; Struts Users Mailing List Subject: Re: Struts Security At 10:05 AM + 1/27/05, Tim Christopher wrote: Hi, I've never used EJB so have no idea what this means, can someone explain please? When SecurityFilter is used, a user's Principal will not automatically be propagated to EJB calls. If this is a requirement for your application, you may not be able to use SecurityFilter. If you don't use EJB, then it's not an issue for you, but part of the appeal of container managed security is that it makes the same java.security.Principal (representing the authenticated user) available to both the servlet and the EJB layer code. I haven't used SecurityFilter before, but it looks handy. My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com Narrow minds are weapons made for mass destruction -The Ex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This transmission (and any information attached to it) may be confidential and is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient or the person responsible for delivering the transmission to the intended recipient, be advised that you have received this transmission in error and that any use, dissemination, forwarding, printing, or copying of this information is strictly prohibited. If you have received this transmission in error, please immediately notify LabOne at the following email address: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts Security
At 9:46 AM -0600 1/27/05, Jerry Jalenak wrote: Joe - Your comment My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. struck a chord with me - it's one of the reasons I've never looked at implementing CMS. How do you handle this? Roll your own? Yes; it's not too hard to come up with a simple user model, although obviously more sophisticated apps can be a headache to build from scratch. If you have some mechanism to get a user into the session, then it's not too hard to override the processRoles step in the request process to provide struts-config level declarative security comparable to what happens by default using container-managed security. I haven't had call to try to replicate the tag-library behavior. We usually have interfaces that are different enough based on role that it's just as well to have separate templates as to try to have one with a bunch of conditionals. There was a pretty good JDJ article about two years ago which laid out all the flaws of container based security -- besides the aforementioned no-user-initiated login, it's pretty hard to use container managed security on resources which don't *require* authentication, but behave differently after authentication. I never tried to use their implementation, and the Filter-nature of Security Filter makes it look like probably a better solution to the same problem. (Two years ago, we may not have been on Servlet 2.3 yet, but that's not an issue now...) Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com Narrow minds are weapons made for mass destruction -The Ex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
On Thu, 27 Jan 2005 11:02:35 -0600, Joe Germuska [EMAIL PROTECTED] wrote: At 9:46 AM -0600 1/27/05, Jerry Jalenak wrote: Joe - Your comment My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. struck a chord with me - it's one of the reasons I've never looked at implementing CMS. How do you handle this? Roll your own? Look at what appfuse does. Matt Raible has user initiated and remember me functionality with CMS. It's not really that complicated. Yes; it's not too hard to come up with a simple user model, although obviously more sophisticated apps can be a headache to build from scratch. If you have some mechanism to get a user into the session, then it's not too hard to override the processRoles step in the request process to provide struts-config level declarative security comparable to what happens by default using container-managed security. I haven't had call to try to replicate the tag-library behavior. We usually have interfaces that are different enough based on role that it's just as well to have separate templates as to try to have one with a bunch of conditionals. There was a pretty good JDJ article about two years ago which laid out all the flaws of container based security -- besides the aforementioned no-user-initiated login, it's pretty hard to use container managed security on resources which don't *require* authentication, but behave differently after authentication. I never tried to use their implementation, and the Filter-nature of Security Filter makes it look like probably a better solution to the same problem. (Two years ago, we may not have been on Servlet 2.3 yet, but that's not an issue now...) Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com Narrow minds are weapons made for mass destruction -The Ex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- James A Barrows - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts Security
Also see this article: http://www.javaworld.com/javaworld/jw-07-2004/jw-0726-security.html J2EE security: Container versus custom Choose the appropriate type of security for your application Summary This article covers the factors to consider when choosing between custom security and J2EE standard security, also known as container security. It briefly covers how each type of security works and then illustrates their differences, strengths, and weaknesses. Although J2EE security itself applies to all components of an enterprise application, this discussion's main focus is Web application security or, more specifically, authentication. (6,000 words; July 26, 2004) -- Notice: This e-mail message, together with any attachments, contains information of Merck Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp Dohme or MSD and in Japan, as Banyu) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
I kind of set our security up before the struts menu was in place. What I have done that seems to work well so far is extend the Action class with a SecureAction class that validates the users role before it lets the user into an action. The execute method actually validates and calls an abstract secureExecute (which is now the main struts method) if the user is in the role. I set a roleId in the struts-config.xml for each action which really isn't a big deal (set-property property=actionRole value=700/). That way the role is set up 1 time for each action. You can use the same role for several actions of you like. When the user logs in, I retrieve all the roles allowed for that user and store it in a UserContext object in the session. I then have a menu tag that dynamically builds the menu for them which isn't that difficult to set up. I use it in a tile so I only insert it 1 time. Just some ideas. Craig McClanahan wrote: On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher [EMAIL PROTECTED] wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat xml file to set the roles for each of the users, then extending the RequestProcessor to ensure only authorised users can enter the secure area. I then have a number of menu options that should only be made visible to users with certain roles; I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). The implementation of logic:present role= uses request.isUserInRole() under the covers :-). I guess what I'd like to know is: * Will this approach actually work? Yep. * Is there a better way? This sounds best for your use case. * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? Tomcat's JDBCRealm caches the relevant roles for a user when he or she logs on, so they won't change for the length of that session ... but changes will get reflected next time the same person logs on. * Also if I use a check within the jsp like logic:present role=.. to decide if a component should be dispalyed, I have read it is also advisable to require to presence of a role to use the Action. This method will require two updates to allow an additional an additional role to access a resource (update in the jsp, and in the xml file) - is there a way around this? You can prohibit direct access to JSP pages (requiring that they go through an Action first) and only need to configure the XML file to limit access to a complete page. But you'll still need the inner logic if you want to do things differently, based on role, within a page. Thank you in advance, Tim Christopher Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
I forgot to mention the reason I did this was because we already had a security mechanism in place and didn't have the liberty of using realms on the web or anything like that. It had to be a custom configuration. Nic Holbrook wrote: I kind of set our security up before the struts menu was in place. What I have done that seems to work well so far is extend the Action class with a SecureAction class that validates the users role before it lets the user into an action. The execute method actually validates and calls an abstract secureExecute (which is now the main struts method) if the user is in the role. I set a roleId in the struts-config.xml for each action which really isn't a big deal (set-property property=actionRole value=700/). That way the role is set up 1 time for each action. You can use the same role for several actions of you like. When the user logs in, I retrieve all the roles allowed for that user and store it in a UserContext object in the session. I then have a menu tag that dynamically builds the menu for them which isn't that difficult to set up. I use it in a tile so I only insert it 1 time. Just some ideas. Craig McClanahan wrote: On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher [EMAIL PROTECTED] wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat xml file to set the roles for each of the users, then extending the RequestProcessor to ensure only authorised users can enter the secure area. I then have a number of menu options that should only be made visible to users with certain roles; I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). The implementation of logic:present role= uses request.isUserInRole() under the covers :-). I guess what I'd like to know is: * Will this approach actually work? Yep. * Is there a better way? This sounds best for your use case. * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? Tomcat's JDBCRealm caches the relevant roles for a user when he or she logs on, so they won't change for the length of that session ... but changes will get reflected next time the same person logs on. * Also if I use a check within the jsp like logic:present role=.. to decide if a component should be dispalyed, I have read it is also advisable to require to presence of a role to use the Action. This method will require two updates to allow an additional an additional role to access a resource (update in the jsp, and in the xml file) - is there a way around this? You can prohibit direct access to JSP pages (requiring that they go through an Action first) and only need to configure the XML file to limit access to a complete page. But you'll still need the inner logic if you want to do things differently, based on role, within a page. Thank you in advance, Tim Christopher Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
Just a quick question... What is gained by using code like this:
String[] roles = mapping.getRoleNames();
if(roles == null || roles.length == 0)
return true
for(int i=0; iroles.length; i++) {
if(request.isUserInRole(roles[i])) {
return true;
}
}
return false;
...isn't that the same as logic:present role=roleA, roleB, roleG?
Or is that a check for all roles: roleA, roleB, and roleG?
Tim
On Wed, 26 Jan 2005 20:27:22 -0700, Nic Holbrook [EMAIL PROTECTED] wrote:
I forgot to mention the reason I did this was because we already had a
security mechanism in place and didn't have the liberty of using realms
on the web or anything like that. It had to be a custom configuration.
Nic Holbrook wrote:
I kind of set our security up before the struts menu was in place.
What I have done that seems to work well so far is extend the Action
class with a SecureAction class that validates the users role before
it lets the user into an action. The execute method actually
validates and calls an abstract secureExecute (which is now the main
struts method) if the user is in the role. I set a roleId in the
struts-config.xml for each action which really isn't a big deal
(set-property property=actionRole value=700/). That way the
role is set up 1 time for each action. You can use the same role for
several actions of you like. When the user logs in, I retrieve all
the roles allowed for that user and store it in a UserContext object
in the session. I then have a menu tag that dynamically builds the
menu for them which isn't that difficult to set up. I use it in a
tile so I only insert it 1 time.
Just some ideas.
Craig McClanahan wrote:
On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher
[EMAIL PROTECTED] wrote:
Hi,
I am designing a web application using Struts, which will run using
Tomcat. The system will have upwards of 1000 users, with each user
having any number of around 10 possible roles.
I'm currently thinking of using JDBCRealm within the Tomcat xml file
to set the roles for each of the users, then extending the
RequestProcessor to ensure only authorised users can enter the secure
area. I then have a number of menu options that should only be made
visible to users with certain roles; I intend to use logic:present
role=.. or req:isUserInRole role=... to do this - from what I can
see they are functionally identical(?).
The implementation of logic:present role= uses request.isUserInRole()
under the covers :-).
I guess what I'd like to know is:
* Will this approach actually work?
Yep.
* Is there a better way?
This sounds best for your use case.
* Will any changes to user roles made within the database
automatically update the roles that tomcat uses from the JDBCRealm, or
will it require a server restart?
Tomcat's JDBCRealm caches the relevant roles for a user when he or she
logs on, so they won't change for the length of that session ... but
changes will get reflected next time the same person logs on.
* Also if I use a check within the jsp like logic:present role=..
to decide if a component should be dispalyed, I have read it is also
advisable to require to presence of a role to use the Action. This
method will require two updates to allow an additional an additional
role to access a resource (update in the jsp, and in the xml file) -
is there a way around this?
You can prohibit direct access to JSP pages (requiring that they go
through an Action first) and only need to configure the XML file to
limit access to a complete page. But you'll still need the inner
logic if you want to do things differently, based on role, within a
page.
Thank you in advance,
Tim Christopher
Craig
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts Security
I think the logic:present tag will allow access to any of the roles
mentioned.
Mohan
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 27, 2005 9:41 AM
To: Struts Users Mailing List
Subject: Re: Struts Security
Just a quick question... What is gained by using code like this:
String[] roles = mapping.getRoleNames();
if(roles == null || roles.length == 0)
return true
for(int i=0; iroles.length; i++) {
if(request.isUserInRole(roles[i])) {
return true;
}
}
return false;
...isn't that the same as logic:present role=roleA, roleB, roleG?
Or is that a check for all roles: roleA, roleB, and roleG?
Tim
On Wed, 26 Jan 2005 20:27:22 -0700, Nic Holbrook [EMAIL PROTECTED]
wrote:
I forgot to mention the reason I did this was because we already had a
security mechanism in place and didn't have the liberty of using
realms on the web or anything like that. It had to be a custom
configuration.
Nic Holbrook wrote:
I kind of set our security up before the struts menu was in place.
What I have done that seems to work well so far is extend the Action
class with a SecureAction class that validates the users role before
it lets the user into an action. The execute method actually
validates and calls an abstract secureExecute (which is now the main
struts method) if the user is in the role. I set a roleId in the
struts-config.xml for each action which really isn't a big deal
(set-property property=actionRole value=700/). That way the
role is set up 1 time for each action. You can use the same role
for several actions of you like. When the user logs in, I retrieve
all the roles allowed for that user and store it in a UserContext
object in the session. I then have a menu tag that dynamically
builds the menu for them which isn't that difficult to set up. I
use it in a tile so I only insert it 1 time.
Just some ideas.
Craig McClanahan wrote:
On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher
[EMAIL PROTECTED] wrote:
Hi,
I am designing a web application using Struts, which will run
using Tomcat. The system will have upwards of 1000 users, with
each user having any number of around 10 possible roles.
I'm currently thinking of using JDBCRealm within the Tomcat xml
file to set the roles for each of the users, then extending the
RequestProcessor to ensure only authorised users can enter the
secure area. I then have a number of menu options that should
only be made visible to users with certain roles; I intend to use
logic:present role=.. or req:isUserInRole role=... to do this
- from what I can see they are functionally identical(?).
The implementation of logic:present role= uses
request.isUserInRole() under the covers :-).
I guess what I'd like to know is:
* Will this approach actually work?
Yep.
* Is there a better way?
This sounds best for your use case.
* Will any changes to user roles made within the database
automatically update the roles that tomcat uses from the
JDBCRealm, or will it require a server restart?
Tomcat's JDBCRealm caches the relevant roles for a user when he or
she logs on, so they won't change for the length of that session
... but changes will get reflected next time the same person logs
on.
* Also if I use a check within the jsp like logic:present
role=..
to decide if a component should be dispalyed, I have read it is
also advisable to require to presence of a role to use the Action.
This method will require two updates to allow an additional an
additional role to access a resource (update in the jsp, and in
the xml file) - is there a way around this?
You can prohibit direct access to JSP pages (requiring that they go
through an Action first) and only need to configure the XML file to
limit access to a complete page. But you'll still need the inner
logic if you want to do things differently, based on role, within a
page.
Thank you in advance,
Tim Christopher
Craig
---
-- To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
- To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This message is for the designated recipient only and may contain privileged,
proprietary
RE: Struts Security
Hi
Take a look at SecurityFilter - http://securityfilter.sourceforge.net/
Works like a charm with Tomcat and JDBC realms. Then you do REAL
declarative security - No coding needed.
Hermod
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Thursday, January 27, 2005 6:31 AM
To: user@struts.apache.org
Subject: RE: Struts Security
I think the logic:present tag will allow access to any of the roles
mentioned.
Mohan
-Original Message-
From: Tim Christopher [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 27, 2005 9:41 AM
To: Struts Users Mailing List
Subject: Re: Struts Security
Just a quick question... What is gained by using code like this:
String[] roles = mapping.getRoleNames();
if(roles == null || roles.length == 0)
return true
for(int i=0; iroles.length; i++) {
if(request.isUserInRole(roles[i])) {
return true;
}
}
return false;
...isn't that the same as logic:present role=roleA, roleB, roleG?
Or is that a check for all roles: roleA, roleB, and roleG?
Tim
On Wed, 26 Jan 2005 20:27:22 -0700, Nic Holbrook [EMAIL PROTECTED]
wrote:
I forgot to mention the reason I did this was because we already had a
security mechanism in place and didn't have the liberty of using
realms on the web or anything like that. It had to be a custom
configuration.
Nic Holbrook wrote:
I kind of set our security up before the struts menu was in place.
What I have done that seems to work well so far is extend the Action
class with a SecureAction class that validates the users role before
it lets the user into an action. The execute method actually
validates and calls an abstract secureExecute (which is now the main
struts method) if the user is in the role. I set a roleId in the
struts-config.xml for each action which really isn't a big deal
(set-property property=actionRole value=700/). That way the
role is set up 1 time for each action. You can use the same role
for several actions of you like. When the user logs in, I retrieve
all the roles allowed for that user and store it in a UserContext
object in the session. I then have a menu tag that dynamically
builds the menu for them which isn't that difficult to set up. I
use it in a tile so I only insert it 1 time.
Just some ideas.
Craig McClanahan wrote:
On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher
[EMAIL PROTECTED] wrote:
Hi,
I am designing a web application using Struts, which will run
using Tomcat. The system will have upwards of 1000 users, with
each user having any number of around 10 possible roles.
I'm currently thinking of using JDBCRealm within the Tomcat xml
file to set the roles for each of the users, then extending the
RequestProcessor to ensure only authorised users can enter the
secure area. I then have a number of menu options that should
only be made visible to users with certain roles; I intend to use
logic:present role=.. or req:isUserInRole role=... to do this
- from what I can see they are functionally identical(?).
The implementation of logic:present role= uses
request.isUserInRole() under the covers :-).
I guess what I'd like to know is:
* Will this approach actually work?
Yep.
* Is there a better way?
This sounds best for your use case.
* Will any changes to user roles made within the database
automatically update the roles that tomcat uses from the
JDBCRealm, or will it require a server restart?
Tomcat's JDBCRealm caches the relevant roles for a user when he or
she logs on, so they won't change for the length of that session
... but changes will get reflected next time the same person logs
on.
* Also if I use a check within the jsp like logic:present
role=..
to decide if a component should be dispalyed, I have read it is
also advisable to require to presence of a role to use the Action.
This method will require two updates to allow an additional an
additional role to access a resource (update in the jsp, and in
the xml file) - is there a way around this?
You can prohibit direct access to JSP pages (requiring that they go
through an Action first) and only need to configure the XML file to
limit access to a complete page. But you'll still need the inner
logic if you want to do things differently, based on role, within a
page.
Thank you in advance,
Tim Christopher
Craig
---
-- To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
- To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED
Re: Struts Security
Tim Christopher wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat Sounds good xml file to set the roles for each of the users, You set it in DB not in XML. then extending the RequestProcessor to ensure only authorised users can enter the secure area. You don't need to do that. I then have a number of menu options that should only be made visible to users with certain roles; Try Struts menu. hth, .V I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). I guess what I'd like to know is: * Will this approach actually work? * Is there a better way? * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? * Also if I use a check within the jsp like logic:present role=.. to decide if a component should be dispalyed, I have read it is also advisable to require to presence of a role to use the Action. This method will require two updates to allow an additional an additional role to access a resource (update in the jsp, and in the xml file) - is there a way around this? Thank you in advance, Tim Christopher -- RiA-SoA w/JDNC http://www.SandraSF.com forums - help develop a community My blog http://www.sandrasf.com/adminBlog - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher [EMAIL PROTECTED] wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat xml file to set the roles for each of the users, then extending the RequestProcessor to ensure only authorised users can enter the secure area. I then have a number of menu options that should only be made visible to users with certain roles; I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). The implementation of logic:present role= uses request.isUserInRole() under the covers :-). I guess what I'd like to know is: * Will this approach actually work? Yep. * Is there a better way? This sounds best for your use case. * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? Tomcat's JDBCRealm caches the relevant roles for a user when he or she logs on, so they won't change for the length of that session ... but changes will get reflected next time the same person logs on. * Also if I use a check within the jsp like logic:present role=.. to decide if a component should be dispalyed, I have read it is also advisable to require to presence of a role to use the Action. This method will require two updates to allow an additional an additional role to access a resource (update in the jsp, and in the xml file) - is there a way around this? You can prohibit direct access to JSP pages (requiring that they go through an Action first) and only need to configure the XML file to limit access to a complete page. But you'll still need the inner logic if you want to do things differently, based on role, within a page. Thank you in advance, Tim Christopher Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
I then have a number of menu options that should only be made visible to users with certain roles; Try Struts menu. I have looked at the Struts Menu ( http://struts-menu.sourceforge.net/ ) and I think I'll probably give it a go! Does anyone else here have any experience using the Struts Menu, and if so what did you think of it?... And would you recommend it? :o) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
On Wed, 19 Jan 2005 21:54:48 +0900, Sylvain ~ [EMAIL PROTECTED] wrote: I'm working on a simple application which requires very simple security as given there is only 3 kind of users : anonymous, users and admin. For portability issues, I don't want to use Tomcat's security system. Please explain that logic. AFAIK, tomcat's security system follows the specification for container managed security. The only deviation is in the implementation of Realms which are outside of the servlet specification, and would not be part of your web application anyway. Larry - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
In part for the reason you specified, where the response has already been committed in tiles, I prefer to move that kind of logic back into the pre-view stages of request processing. In Struts 1.2.x, you could extend the TilesRequestProcessor and change the implementation of processRoles so that it handles security the way you prefer, before the action's execute method is ever called (and actually before the form is populated as well). http://struts.apache.org/api/org/apache/struts/action/RequestProcessor.html#processRoles(javax.servlet.http.HttpServletRequest,%20javax.servlet.http.HttpServletResponse,%20org.apache.struts.action.ActionMapping) In Struts 1.3, the default RequestProcessor will use a chain of commands, and in this case, you would replace the AuthorizeAction command from the chain with one of your own. It is possible to implement this in Struts 1.2.x using the struts-chain library, but since that library was never released on its own, it's a small amount of work just to get the code. Hopefully sometime in the next couple of weeks we'll have a stable SVN version of Struts 1.3.x which uses a modified form of the chain processing, but I couldn't say when that would be ready for a production release. Joe At 9:54 PM +0900 1/19/05, Sylvain ~ wrote: I'm working on a simple application which requires very simple security as given there is only 3 kind of users : anonymous, users and admin. For portability issues, I don't want to use Tomcat's security system. I think using JAAS or securityFilter for a such simple application would create more problems than it would solve, so I firstly decided to implement a security feature with a jsp tag that I'll include in my webpages. The tag is similar to the one provided as an example of struts : checkLogon It was working well with the firsts drafts of my application, but since I use Tiles I can't perform any redirect with this tag, I just get a blank page where the protected page should take place. The page access is protected well, but what should I do if I want to have a 403 page instead of just displaying the page ? Any Idea would be appreciated. Sylvain. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com Narrow minds are weapons made for mass destruction -The Ex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
On Wed, 19 Jan 2005 21:54:48 +0900, Sylvain ~ [EMAIL PROTECTED] wrote: I'm working on a simple application which requires very simple security as given there is only 3 kind of users : anonymous, users and admin. For portability issues, I don't want to use Tomcat's security system. Tomcat doesn't have a tomcat specific security mechanism. They use the one specified by the JSP/Servlet spec. I think using JAAS or securityFilter for a such simple application would create more problems than it would solve, so I firstly decided to implement a security feature with a jsp tag that I'll include in my webpages. Not really, as you found out putting pages together is a bit tricky. Security filter is much easier, and using the JSP/Servlet security even easier. JAAS is usually wrapped by a Security Filter, and Tomcat has a JAAS plugin to implement the standard security. The tag is similar to the one provided as an example of struts : checkLogon It was working well with the firsts drafts of my application, but since I use Tiles I can't perform any redirect with this tag, I just get a blank page where the protected page should take place. The page access is protected well, but what should I do if I want to have a 403 page instead of just displaying the page ? Any Idea would be appreciated. Sylvain. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams [EMAIL PROTECTED] wrote:
Hello all,
I'm in the process of trying to secure my struts application against Cross site
scripting, SQL injection style attacks.
One of the things I'm doing to prevent this is trying to restrict special characters
(;.(){}...etc) getting beyond the validator.
At the moment I'm using the validator plugin, within my validation.xml I use the
mask validator with the regular expression;
..
var-namemask/var-name
var-value^[^;'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$/var-value
..
1. Does anyone know the syntax for also preventingwithin the regular
expression bearing in mind its declared in XML?
In your regexp, you can specifyentities as lt; and
gt; respectively.
Or is there some kind of default validator that does this?
2. Some of my action functions also take input in the url as a GET which does not go
through the Validator, this is then used to access a DB, these also need to be
secured. Obviously I can do this within each individual Action class, but where
would be the best single place I could stop characters like ; ever getting as
far as the Action classes?
1) You can use a strategy similar to the one described in the below url
http://wiki.apache.org/struts/StrutsCatalogBaseAction
OR
2) You can also define a custom RequestProcessor and override
processPreprocess(HttpServletRequest request, HttpServletResponse
response).
Any other suggestions would be much appreciated, as I couldn't find very much
related to securing struts applications
many thanks in advance
regards
James
Kishore Senji.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
-Original Message-
From: James Adams [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 6:45 AM
To: Struts Users Mailing List
Subject: Struts security/validation
Hello all,
I'm in the process of trying to secure my struts application
against Cross site scripting, SQL injection style attacks.
One of the things I'm doing to prevent this is trying to
restrict special characters (;.(){}...etc) getting beyond
Semicolon and period are perflecty legitimate for a textarea input. I use a filter,
that goes through the parameters looking for select.*from.* for a quick check, then
do a second more detailed look before rejecting for a security violation. I do the
same thing for insert and update as well, as seperate checks, which gives me some idea
how far into the attack they've gotten.
I would also do the same thing for a cross site scripting attack, if I had a check for
it.. actually look for keywords before flagging antyhing. Since I do a lot of
internal web apps, I'm not as concerned about this as I would be if I had external
sites.
the validator.
At the moment I'm using the validator plugin, within my
validation.xml I use the mask validator with the regular expression;
.
var-namemask/var-name
var-value^[^;'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$/var-value
.
1. Does anyone know the syntax for also preventing
within the regular expression bearing in mind its declared in XML?
Or is there some kind of default validator that does this?
2. Some of my action functions also take input in the url as
a GET which does not go through the Validator, this is then
used to access a DB, these also need to be secured.
Obviously I can do this within each individual Action class,
but where would be the best single place I could stop
characters like ; ever getting as far as the Action classes?
Any other suggestions would be much appreciated, as I
couldn't find very much related to securing struts applications
many thanks in advance
regards
James
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams [EMAIL PROTECTED] wrote:
Hello all,
I'm in the process of trying to secure my struts application against Cross site
scripting, SQL injection style attacks.
One of the things I'm doing to prevent this is trying to restrict special characters
(;.(){}...etc) getting beyond the validator.
Just thinking out loud for a moment ...
Cross site scripting attacks don't happen when sensitive characters
are inside an *input* field. The problem comes if you *output* the
data without filtering for them. That's why the Struts bean:write
tag, for example, filters , , , and ; for you unless you
explicitly tell it not to, so if you are diligent about how you copy
your database data to output pages, you can safely accept these kinds
of character in input.
I notice that Kishore Senji (one of the other respondents in this
thread) is using Google's Gmail, just as I am at the moment. Since
this is a web application, it's a good thing that Googe isn't
disallowing the magic characters on input into a textarea, or else we
would not be able to participate in this conversation :-).
Is filtering input really the appropriate strategy for dealing with
this problem? If successful it will certainly help, but the approach
strikes me as overly restrictive for most application needs.
Craig
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
-Original Message-
From: Craig McClanahan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 10:21 AM
To: Struts Users Mailing List
Subject: Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams
[EMAIL PROTECTED] wrote:
Hello all,
I'm in the process of trying to secure my struts
application against Cross site scripting, SQL injection
style attacks.
One of the things I'm doing to prevent this is trying to
restrict special characters (;.(){}...etc) getting beyond
the validator.
Just thinking out loud for a moment ...
Cross site scripting attacks don't happen when sensitive characters
are inside an *input* field. The problem comes if you *output* the
data without filtering for them. That's why the Struts bean:write
tag, for example, filters , , , and ; for you unless you
explicitly tell it not to, so if you are diligent about how you copy
your database data to output pages, you can safely accept these kinds
of character in input.
I notice that Kishore Senji (one of the other respondents in this
thread) is using Google's Gmail, just as I am at the moment. Since
this is a web application, it's a good thing that Googe isn't
disallowing the magic characters on input into a textarea, or else we
would not be able to participate in this conversation :-).
Is filtering input really the appropriate strategy for dealing with
this problem? If successful it will certainly help, but the approach
strikes me as overly restrictive for most application needs.
It can be appropriate, you might eventually need to turn off that filtering. It may
be possible to legitametley allow such characters. The immediate example I can think
of is content management. You could jump through hoops ( ex. Wiki's) to not use html
to mark up the input but why?
If you do it on input, you definitiely need more then just grepping on characters, you
need to look at what the content is. Looking for a javascript tag is good. Maybe
running the input through a javascript parser is even better. Lots of ways to do it.
The best reason for doing it on input, is SQL injection and Cross Site Scripting
attacks are bad data. Bad data should not make into the datbase.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
I had a similar problem, which I discovered when one of my users tried to
enter a street address containing an apostrophe. Since I use apostrophes to
delineate my text strings in my SQL statements, this caused a database
error. I fixed it by not allowing apostrophes to be entered into any of the
test fields.
I admit this is overly restrictive, but I don't know how to get the
apostrophe into my database otherwise. How would you do it Craig?
For SQL destined test, I disallow \ and '.
For XML destined text, I disallow , , , \, and .
Wiebe de Jong
-Original Message-
From: Craig McClanahan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 10:21 AM
To: Struts Users Mailing List
Subject: Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams [EMAIL PROTECTED] wrote:
Hello all,
I'm in the process of trying to secure my struts application against
Cross site scripting, SQL injection style attacks.
One of the things I'm doing to prevent this is trying to restrict special
characters (;.(){}...etc) getting beyond the validator.
Just thinking out loud for a moment ...
Cross site scripting attacks don't happen when sensitive characters
are inside an *input* field. The problem comes if you *output* the
data without filtering for them. That's why the Struts bean:write
tag, for example, filters , , , and ; for you unless you
explicitly tell it not to, so if you are diligent about how you copy
your database data to output pages, you can safely accept these kinds
of character in input.
I notice that Kishore Senji (one of the other respondents in this
thread) is using Google's Gmail, just as I am at the moment. Since
this is a web application, it's a good thing that Googe isn't
disallowing the magic characters on input into a textarea, or else we
would not be able to participate in this conversation :-).
Is filtering input really the appropriate strategy for dealing with
this problem? If successful it will certainly help, but the approach
strikes me as overly restrictive for most application needs.
Craig
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
-Original Message-
From: Wiebe de Jong [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 10:32 AM
To: 'Struts Users Mailing List'
Subject: RE: Struts security/validation
I had a similar problem, which I discovered when one of my
users tried to
enter a street address containing an apostrophe. Since I use
apostrophes to
delineate my text strings in my SQL statements, this caused a database
error. I fixed it by not allowing apostrophes to be entered
into any of the
test fields.
I admit this is overly restrictive, but I don't know how to get the
apostrophe into my database otherwise. How would you do it Craig?
I'd change them to their HTML equivalents.. however I've found that using the prepared
sql statements eliminates the interpretation problem you've outlined.
For SQL destined test, I disallow \ and '.
For XML destined text, I disallow , , , \, and .
Wiebe de Jong
-Original Message-
From: Craig McClanahan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 10:21 AM
To: Struts Users Mailing List
Subject: Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams
[EMAIL PROTECTED] wrote:
Hello all,
I'm in the process of trying to secure my struts application against
Cross site scripting, SQL injection style attacks.
One of the things I'm doing to prevent this is trying to
restrict special
characters (;.(){}...etc) getting beyond the validator.
Just thinking out loud for a moment ...
Cross site scripting attacks don't happen when sensitive characters
are inside an *input* field. The problem comes if you *output* the
data without filtering for them. That's why the Struts bean:write
tag, for example, filters , , , and ; for you unless you
explicitly tell it not to, so if you are diligent about how you copy
your database data to output pages, you can safely accept these kinds
of character in input.
I notice that Kishore Senji (one of the other respondents in this
thread) is using Google's Gmail, just as I am at the moment. Since
this is a web application, it's a good thing that Googe isn't
disallowing the magic characters on input into a textarea, or else we
would not be able to participate in this conversation :-).
Is filtering input really the appropriate strategy for dealing with
this problem? If successful it will certainly help, but the approach
strikes me as overly restrictive for most application needs.
Craig
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong [EMAIL PROTECTED] wrote: I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I hope you never have a customer named O'Reilly :-). I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? For SQL destined test, I disallow \ and '. If I'm doing the SQL myself, I always use prepared statements: String streetAddress = ...; // String may have \ and ' characters in it PreparedStatement stmt = conn.prepareStatement (UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?); stmt.setString(1, streetAddress); stmt.setInt(2, custId); stmt.executeUpdate(); and let the JDBC driver take care of getting the sensitive characters escaped as needed. (Of course, if you're using a persistence tier abstraction like EJB or JDO or JDBC RowSets or Hibernate or iBatis et. al., you don't need to worry about any of this -- it all happens automatically for you.) For XML destined text, I disallow , , , \, and . For XML, I use one of several strategies depending on the detailed situation: * Recognize that XML allows either or ' as attribute delimiters, so if a string includes one kind, just use the other. * Write or use an XML serializer that translates to amp; and so on for me. * If the XML I am writing is actually markup on a page, use JSF components ... JSF includes APIs that do all the escaping for you. Wiebe de Jong Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
Oracle sql insert needs to escape apostrophes so that you can insert apostrophes. So
in your case you may need a utility method to convert all your text containing
apostrophes to some thing like ''.
Example: If your user enters I like he's idea, when inserting to data base you need
to convert it to be l like he''s idea.
Hope this helps.
-Original Message-
From: Wiebe de Jong [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 1:32 PM
To: 'Struts Users Mailing List'
Subject: RE: Struts security/validation
I had a similar problem, which I discovered when one of my users tried to
enter a street address containing an apostrophe. Since I use apostrophes to
delineate my text strings in my SQL statements, this caused a database
error. I fixed it by not allowing apostrophes to be entered into any of the
test fields.
I admit this is overly restrictive, but I don't know how to get the
apostrophe into my database otherwise. How would you do it Craig?
For SQL destined test, I disallow \ and '.
For XML destined text, I disallow , , , \, and .
Wiebe de Jong
-Original Message-
From: Craig McClanahan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 10:21 AM
To: Struts Users Mailing List
Subject: Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams [EMAIL PROTECTED] wrote:
Hello all,
I'm in the process of trying to secure my struts application against
Cross site scripting, SQL injection style attacks.
One of the things I'm doing to prevent this is trying to restrict special
characters (;.(){}...etc) getting beyond the validator.
Just thinking out loud for a moment ...
Cross site scripting attacks don't happen when sensitive characters
are inside an *input* field. The problem comes if you *output* the
data without filtering for them. That's why the Struts bean:write
tag, for example, filters , , , and ; for you unless you
explicitly tell it not to, so if you are diligent about how you copy
your database data to output pages, you can safely accept these kinds
of character in input.
I notice that Kishore Senji (one of the other respondents in this
thread) is using Google's Gmail, just as I am at the moment. Since
this is a web application, it's a good thing that Googe isn't
disallowing the magic characters on input into a textarea, or else we
would not be able to participate in this conversation :-).
Is filtering input really the appropriate strategy for dealing with
this problem? If successful it will certainly help, but the approach
strikes me as overly restrictive for most application needs.
Craig
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
Craig, both you and Jim suggested that I make use of prepared statements. I implemented my SQL using strings because it is easier to tweak during the development phase. Now that the project is in maintenance, moving to prepared statements is a good idea. Probably help a bit in performance as well. As for the XML/SOAP calls, using the serializer to create the character entities would be good. Thanks Wiebe de Jong -Original Message- From: Craig McClanahan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:50 AM To: Struts Users Mailing List Subject: Re: Struts security/validation On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong [EMAIL PROTECTED] wrote: I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I hope you never have a customer named O'Reilly :-). I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? For SQL destined test, I disallow \ and '. If I'm doing the SQL myself, I always use prepared statements: String streetAddress = ...; // String may have \ and ' characters in it PreparedStatement stmt = conn.prepareStatement (UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?); stmt.setString(1, streetAddress); stmt.setInt(2, custId); stmt.executeUpdate(); and let the JDBC driver take care of getting the sensitive characters escaped as needed. (Of course, if you're using a persistence tier abstraction like EJB or JDO or JDBC RowSets or Hibernate or iBatis et. al., you don't need to worry about any of this -- it all happens automatically for you.) For XML destined text, I disallow , , , \, and . For XML, I use one of several strategies depending on the detailed situation: * Recognize that XML allows either or ' as attribute delimiters, so if a string includes one kind, just use the other. * Write or use an XML serializer that translates to amp; and so on for me. * If the XML I am writing is actually markup on a page, use JSF components ... JSF includes APIs that do all the escaping for you. Wiebe de Jong Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
Jakarta commons lang String Escape Utils has a set of utility methods
for escaping xml, html, sql, java, javascript ...
http://jakarta.apache.org/commons/lang/apidocs/org/apache/commons/lang/StringEscapeUtils.html
Kishore Senji.
On Wed, 11 Aug 2004 10:41:13 -0700, Jim Barrows [EMAIL PROTECTED] wrote:
-Original Message-
From: Wiebe de Jong [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 10:32 AM
To: 'Struts Users Mailing List'
Subject: RE: Struts security/validation
I had a similar problem, which I discovered when one of my
users tried to
enter a street address containing an apostrophe. Since I use
apostrophes to
delineate my text strings in my SQL statements, this caused a database
error. I fixed it by not allowing apostrophes to be entered
into any of the
test fields.
I admit this is overly restrictive, but I don't know how to get the
apostrophe into my database otherwise. How would you do it Craig?
I'd change them to their HTML equivalents.. however I've found that using the
prepared sql statements eliminates the interpretation problem you've outlined.
For SQL destined test, I disallow \ and '.
For XML destined text, I disallow , , , \, and .
Wiebe de Jong
-Original Message-
From: Craig McClanahan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 10:21 AM
To: Struts Users Mailing List
Subject: Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams
[EMAIL PROTECTED] wrote:
Hello all,
I'm in the process of trying to secure my struts application against
Cross site scripting, SQL injection style attacks.
One of the things I'm doing to prevent this is trying to
restrict special
characters (;.(){}...etc) getting beyond the validator.
Just thinking out loud for a moment ...
Cross site scripting attacks don't happen when sensitive characters
are inside an *input* field. The problem comes if you *output* the
data without filtering for them. That's why the Struts bean:write
tag, for example, filters , , , and ; for you unless you
explicitly tell it not to, so if you are diligent about how you copy
your database data to output pages, you can safely accept these kinds
of character in input.
I notice that Kishore Senji (one of the other respondents in this
thread) is using Google's Gmail, just as I am at the moment. Since
this is a web application, it's a good thing that Googe isn't
disallowing the magic characters on input into a textarea, or else we
would not be able to participate in this conversation :-).
Is filtering input really the appropriate strategy for dealing with
this problem? If successful it will certainly help, but the approach
strikes me as overly restrictive for most application needs.
Craig
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
Craig McClanahan wrote: On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong [EMAIL PROTECTED] wrote: I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I hope you never have a customer named O'Reilly :-). I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? For SQL destined test, I disallow \ and '. If I'm doing the SQL myself, I always use prepared statements: Absolutely. PreparedStatement is always the way to go, depending on the database you'll get a couple of performance gains also. String streetAddress = ...; // String may have \ and ' characters in it PreparedStatement stmt = conn.prepareStatement (UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?); stmt.setString(1, streetAddress); stmt.setInt(2, custId); stmt.executeUpdate(); and let the JDBC driver take care of getting the sensitive characters escaped as needed. In fact the drivers should not (again implementation specific) need to do any escaping, the statement and data are seperate entities. The statement will still contain ? (or equivalent) in the rdbms. Brett - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
