RE: Struts Security
xwork supplies a ParameterFilterInterceptor interceptors interceptor name=parameterFilter class=com.opensymphony.xwork2.interceptor.ParameterFilterInterceptor/ i dont see any security considerations here for HDIV-SP1? could you explain which security features/functions would be provided by HDIV-SP1? would HDIV-SP1 be supported by either Freemarker or Velocity template languages? how would existing struts tags incorporate this 'additional' functionality..presumable thru an additional attribute? controller: bean class=org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping/ !-- Most controllers will use the ControllerClassNameHandlerMapping above, but for the index controller we are using ParameterizableViewController, so we must define an explicit mapping for it.-- !-- The index controller. -- bean name=indexController class=org.springframework.web.servlet.mvc.ParameterizableViewController p:viewName=index / bean id=urlMapping class=org.springframework.web.servlet.handler.SimpleUrlHandlerMapping property name=mappings props prop key=/index.htmindexController/prop /props /property /bean what additional controller functionality would HDIV-SP1 provide which is not already provided by spring ParameterizableViewController ? thanks, Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Mon, 24 Aug 2009 16:22:41 +0530 Subject: Struts Security To: user@struts.apache.org I want to integrate Struts2 (2.1.6) with HDIV using SPI ( ProcessingParamter Integaration) define in link below. http://wiki.apache.org/struts/HDIV Is there any source or help avaliable for that. In this link there is integration for Struts 1.3.8. and web application is not downloaded properly given in link. Can any one provides Sample application of Struts2 + HDIV using SPI. -- -- Kamlesh Koringa _ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://windowslive.com/Campaign/SocialNetworking?ocid=PID23285::T:WLMTAGL:ON:WL:en-US:SI_SB_facebook:082009
Re: Struts Security
The answer to your questions is 42. What in the name of the Flying Spaghetti Monster are you talking about? It is not only that you add more questions that are not even related to the topic (FreeMarker, Velocity?). What is HDIV-SP1? not even google finds anything relevant about it. Then on top of that you post code from SPRING MVC examples (taken from here http://wiki.netbeans.org/SpringFileUpload? or http://www.coderanch.com/t/446495/Spring/dispatcher-servlet-xml-works?). In this community we encourage *people* to *help* each other and ask questions freely. People and help are the keywords here, your posts seem generated by a bot/script and are *not* helpful . I have seen you doing the same thing on other open source project mailing lists, would you please be so kind as to spare us your seemingly-random-generated-spam? You are confusing users and adding noise to the mailing list. And no, I can't just ignore you because your rants do confuse users which form the community that we, as struts developers try to help, and spend our free time supporting. musachy On Mon, Aug 24, 2009 at 8:46 AM, Martin Gaintymgai...@hotmail.com wrote: xwork supplies a ParameterFilterInterceptor interceptors interceptor name=parameterFilter class=com.opensymphony.xwork2.interceptor.ParameterFilterInterceptor/ i dont see any security considerations here for HDIV-SP1? could you explain which security features/functions would be provided by HDIV-SP1? would HDIV-SP1 be supported by either Freemarker or Velocity template languages? how would existing struts tags incorporate this 'additional' functionality..presumable thru an additional attribute? controller: bean class=org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping/ !-- Most controllers will use the ControllerClassNameHandlerMapping above, but for the index controller we are using ParameterizableViewController, so we must define an explicit mapping for it. -- !-- The index controller. -- bean name=indexController class=org.springframework.web.servlet.mvc.ParameterizableViewController p:viewName=index / bean id=urlMapping class=org.springframework.web.servlet.handler.SimpleUrlHandlerMapping property name=mappings props prop key=/index.htmindexController/prop /props /property /bean what additional controller functionality would HDIV-SP1 provide which is not already provided by spring ParameterizableViewController ? thanks, Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Mon, 24 Aug 2009 16:22:41 +0530 Subject: Struts Security To: user@struts.apache.org I want to integrate Struts2 (2.1.6) with HDIV using SPI ( ProcessingParamter Integaration) define in link below. http://wiki.apache.org/struts/HDIV Is there any source or help avaliable for that. In this link there is integration for Struts 1.3.8. and web application is not downloaded properly given in link. Can any one provides Sample application of Struts2 + HDIV using SPI. -- -- Kamlesh Koringa _ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://windowslive.com/Campaign/SocialNetworking?ocid=PID23285::T:WLMTAGL:ON:WL:en-US:SI_SB_facebook:082009 -- Hey you! Would you help me to carry the stone? Pink Floyd - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts Security
Musachy Barroso wrote: The answer to your questions is 42. What in the name of the Flying Spaghetti Monster are you talking about? Ramen. Dave - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts Security
Hot Div Injection Vector - Service Pack 1 : a little know DHTML library used exclusively by porn link aggregator sites. I am surprised you didn't know that. and Martin, I am so busy that I only make it back here periodically, but it seems like everytime I do Musachy is giving you a beat down about another total fail post. It reminds me of a famous SNL skit with William Shatner, Shatner, I think you are the most ridiculously terrible actor ever born on this Earth, and I get a thousand letters a day telling me the same thing.. To which Shatner replies, What is the word on the street about me?. *sigh*. Musachy Barroso wrote: The answer to your questions is 42. What in the name of the Flying Spaghetti Monster are you talking about? It is not only that you add more questions that are not even related to the topic (FreeMarker, Velocity?). What is HDIV-SP1? not even google finds anything relevant about it. Then on top of that you post code from SPRING MVC examples (taken from here http://wiki.netbeans.org/SpringFileUpload? or http://www.coderanch.com/t/446495/Spring/dispatcher-servlet-xml-works?). In this community we encourage *people* to *help* each other and ask questions freely. People and help are the keywords here, your posts seem generated by a bot/script and are *not* helpful . I have seen you doing the same thing on other open source project mailing lists, would you please be so kind as to spare us your seemingly-random-generated-spam? You are confusing users and adding noise to the mailing list. And no, I can't just ignore you because your rants do confuse users which form the community that we, as struts developers try to help, and spend our free time supporting. musachy On Mon, Aug 24, 2009 at 8:46 AM, Martin Gaintymgai...@hotmail.com wrote: xwork supplies a ParameterFilterInterceptor interceptors interceptor name=parameterFilter class=com.opensymphony.xwork2.interceptor.ParameterFilterInterceptor/ i dont see any security considerations here for HDIV-SP1? could you explain which security features/functions would be provided by HDIV-SP1? would HDIV-SP1 be supported by either Freemarker or Velocity template languages? how would existing struts tags incorporate this 'additional' functionality..presumable thru an additional attribute? controller: bean class=org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping/ !-- Most controllers will use the ControllerClassNameHandlerMapping above, but for the index controller we are using ParameterizableViewController, so we must define an explicit mapping for it. -- !-- The index controller. -- bean name=indexController class=org.springframework.web.servlet.mvc.ParameterizableViewController p:viewName=index / bean id=urlMapping class=org.springframework.web.servlet.handler.SimpleUrlHandlerMapping property name=mappings props prop key=/index.htmindexController/prop /props /property /bean what additional controller functionality would HDIV-SP1 provide which is not already provided by spring ParameterizableViewController ? thanks, Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Mon, 24 Aug 2009 16:22:41 +0530 Subject: Struts Security To: user@struts.apache.org I want to integrate Struts2 (2.1.6) with HDIV using SPI ( ProcessingParamter Integaration) define in link below. http://wiki.apache.org/struts/HDIV Is there any source or help avaliable for that. In this link there is integration for Struts 1.3.8. and web application is not downloaded properly given in link. Can any one provides Sample application of Struts2 + HDIV using SPI. -- -- Kamlesh Koringa _ Windows Live: Make it easier for your friends to see what you’re up to on
RE: Struts - Security
Ditto on Spring Security, very nice for URL auth. -Original Message- From: Dale Newfield [mailto:d...@newfield.org] Sent: Saturday, August 08, 2009 12:02 PM To: Struts Users Mailing List Subject: Re: Struts - Security Kamlesh Koringa wrote: - URL encryption (no one can modify generated URL). Impossible. You cannot prevent people from requesting URLs your system does not present to them. You should assume that any parameter that you accept from a user can be manipulated at will by that user. You can jump through hoops to make valid alternate values difficult to guess, but that's it. You should always check the inputs and make sure that the requested action is a valid one for that user before allowing the requested action to continue. - URL authorization. Spring Security formerly known as acegi. -Dale - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: Struts - Security
QueryCryptSessionListener handles authentication http://www.theserverside.com/news/thread.tss?thread_id=36841 BASIC URL authorization can be achieved thru predefined roles from tomcat-users http://www.informit.com/articles/article.aspx?p=24600 i assume you're using TC? Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Sat, 8 Aug 2009 11:22:06 +0530 Subject: Struts - Security To: user@struts.apache.org Hi I am searching for good security frameworks for Struts2. I have tried for HDIV http://www.hdiv.org. It is good framework but support up to Struts 2.0.11 not Struts-2.1.6. So please help me to find any other framework or any other way to solve security related issues. My main concorns are. - URL encryption ( no one can modify generated URL). - URL authorization. Thanks -- Kamlesh Koringa _ Get back to school stuff for them and cashback for you. http://www.bing.com/cashback?form=MSHYCBpubl=WLHMTAGcrea=TEXT_MSHYCB_BackToSchool_Cashback_BTSCashback_1x1
Re: Struts - Security
Thanks Martin for your reply I have checked QueryCrypt. It only works with Static URL generated from Server side to encrypt Parameters. And I am doubt will it work with Struts2 tag. For that I have to use scriplet to get All paramters and encrypt it and generate encrypted Parameters. If i not wrong s:a / will not allow to use scriptlet. So I have to use simple html tag for generate URL. Is there any other way to do this. Thanks Kamlesh On Sat, Aug 8, 2009 at 5:59 PM, Martin Gainty mgai...@hotmail.com wrote: QueryCryptSessionListener handles authentication http://www.theserverside.com/news/thread.tss?thread_id=36841 BASIC URL authorization can be achieved thru predefined roles from tomcat-users http://www.informit.com/articles/article.aspx?p=24600 i assume you're using TC? Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Sat, 8 Aug 2009 11:22:06 +0530 Subject: Struts - Security To: user@struts.apache.org Hi I am searching for good security frameworks for Struts2. I have tried for HDIV http://www.hdiv.org. It is good framework but support up to Struts 2.0.11 not Struts-2.1.6. So please help me to find any other framework or any other way to solve security related issues. My main concorns are. - URL encryption ( no one can modify generated URL). - URL authorization. Thanks -- Kamlesh Koringa _ Get back to school stuff for them and cashback for you. http://www.bing.com/cashback?form=MSHYCBpubl=WLHMTAGcrea=TEXT_MSHYCB_BackToSchool_Cashback_BTSCashback_1x1
RE: Struts - Security
one way of achieving this is to assign the href attr of anchor to a scoped variable % java.net.URL =new java.net.URL(http://java.sun.com/index.html;); ActionContext.getContext().getSession().put(testUrlId, url); % s:a href=#session.testUrlId anyone else? Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Sat, 8 Aug 2009 18:37:09 +0530 Subject: Re: Struts - Security To: user@struts.apache.org Thanks Martin for your reply I have checked QueryCrypt. It only works with Static URL generated from Server side to encrypt Parameters. And I am doubt will it work with Struts2 tag. For that I have to use scriplet to get All paramters and encrypt it and generate encrypted Parameters. If i not wrong s:a / will not allow to use scriptlet. So I have to use simple html tag for generate URL. Is there any other way to do this. Thanks Kamlesh On Sat, Aug 8, 2009 at 5:59 PM, Martin Gainty mgai...@hotmail.com wrote: QueryCryptSessionListener handles authentication http://www.theserverside.com/news/thread.tss?thread_id=36841 BASIC URL authorization can be achieved thru predefined roles from tomcat-users http://www.informit.com/articles/article.aspx?p=24600 i assume you're using TC? Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: kamleshkori...@gmail.com Date: Sat, 8 Aug 2009 11:22:06 +0530 Subject: Struts - Security To: user@struts.apache.org Hi I am searching for good security frameworks for Struts2. I have tried for HDIV http://www.hdiv.org. It is good framework but support up to Struts 2.0.11 not Struts-2.1.6. So please help me to find any other framework or any other way to solve security related issues. My main concorns are. - URL encryption ( no one can modify generated URL). - URL authorization. Thanks -- Kamlesh Koringa _ Get back to school stuff for them and cashback for you. http://www.bing.com/cashback?form=MSHYCBpubl=WLHMTAGcrea=TEXT_MSHYCB_BackToSchool_Cashback_BTSCashback_1x1 _ Get your vacation photos on your phone! http://windowsliveformobile.com/en-us/photos/default.aspx?OCID=0809TL-HM
Re: Struts - Security
Kamlesh Koringa wrote: - URL encryption (no one can modify generated URL). Impossible. You cannot prevent people from requesting URLs your system does not present to them. You should assume that any parameter that you accept from a user can be manipulated at will by that user. You can jump through hoops to make valid alternate values difficult to guess, but that's it. You should always check the inputs and make sure that the requested action is a valid one for that user before allowing the requested action to continue. - URL authorization. Spring Security formerly known as acegi. -Dale - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: Struts - Security
looks like you might want to code your own logic to scan for those manipulated URL params..like the URL which contains the dreaded /WEB-INF (and as dale suggested scan URLs to reference known .action) Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Sat, 8 Aug 2009 12:01:39 -0400 From: d...@newfield.org To: user@struts.apache.org Subject: Re: Struts - Security Kamlesh Koringa wrote: - URL encryption (no one can modify generated URL). Impossible. You cannot prevent people from requesting URLs your system does not present to them. You should assume that any parameter that you accept from a user can be manipulated at will by that user. You can jump through hoops to make valid alternate values difficult to guess, but that's it. You should always check the inputs and make sure that the requested action is a valid one for that user before allowing the requested action to continue. - URL authorization. Spring Security formerly known as acegi. -Dale - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org _ Get your vacation photos on your phone! http://windowsliveformobile.com/en-us/photos/default.aspx?OCID=0809TL-HM
Re: struts security
Do it like you would for any servlet. Either apply a security constraint to struts servlet itself or apply security constraints to url path (applying a security constraint to /admin/* applies also to /admin/someStrutsAction.do) Jubin Kuriakose a écrit : Hi all Can ayone give me links related to implemnting security-contraints(from web.xml) and struts together. I googled without any success. thnx jubs - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: struts security
Hi David I did do that ... security-constraint web-resource-collection web-resource-namefather/web-resource-name descriptionSecurity/description url-pattern/father/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/auth.do/form-login-page form-error-page/admin/error.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name /security-role and my authentication is diverted to an action class which carries out the actual checking. Here is auth.jsp that calls the AuthAction html:form action=authAction TABLE width=100% border=0 cellspacing=0 cellpadding=5 TR align=center TD align=right class=Prompt/TD TD align=left html:text property=j_username maxlength=20/html:text /TD /TR TR align=center TD align=right class=PromptUsername/TD TD align=left html:text property=j_password maxlength=20/html:textBR /TD /TR TR align=center TD align=right class=PromptPassword/TD TD align=left html:submit value=Login/html:submit /TD /TR /TABLE /html:form the action class is here public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String username = ((DynaActionForm)form).getString(j_username); String password = ((DynaActionForm)form).getString(j_password); System.out.println(Authentication execute called); try { SecurityAssociationHandler handler = new SecurityAssociationHandler(); SimplePrincipal user = new SimplePrincipal(username); handler.setSecurityInfo(user, password.toCharArray()); LoginContext loginContext = new LoginContext(example, (CallbackHandler) handler); loginContext.login(); Subject subject = loginContext.getSubject(); System.out.println(Subject-- + subject.toString()); SetPrincipal principals = subject.getPrincipals(); principals.add(user); request.getSession(false).setAttribute(login,subject); } catch (LoginException e) { // TODO: handle exception System.out.println(LoginException); return mapping.findForward(error); } return mapping.findForward(father); } and it works fine. Each time a request comes to url /father/* the auth.jspis called, even if I was authorised the first time. Meaning I have to authenticate myself every time I acess anything in /father/ . how do i get over this behaviour and only authenticate my self only once... thnks for any help On 3/14/06, David Delbecq [EMAIL PROTECTED] wrote: Do it like you would for any servlet. Either apply a security constraint to struts servlet itself or apply security constraints to url path (applying a security constraint to /admin/* applies also to /admin/someStrutsAction.do) Jubin Kuriakose a écrit : Hi all Can ayone give me links related to implemnting security-contraints(from web.xml) and struts together. I googled without any success. thnx jubs - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: struts security
Am sorry but that's not how form based authentification works in j2ee. We you are not authenticated, the container redirects your to form-login-page This page must contain a form with 2 fields : j_username and j_password. The form action MUST be of type POST and the target MUST be j_security_check (this is a special url that will be handled by container, you can not map any servlet there). example: form method=POST action=j_security_check table tr tdLogin :/td tdinput type=text name=j_username/td /tr tr tdMot de passe :/td tdinput type=password name=j_password/td /tr tr tdinput type=submit value=Entrer !/td tdinput type=reset value=Annuler/td /tr /table /form if you use any action other than j_security_check, this will be handled like any other url query, and no authentification will take place. The reason you are having father - login form - father apparently working, is simply because struts does a forward after action, which take place internally and so is not concerned about the security constraints. Jubin Kuriakose a écrit : Hi David I did do that ... security-constraint web-resource-collection web-resource-namefather/web-resource-name descriptionSecurity/description url-pattern/father/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/auth.do/form-login-page form-error-page/admin/error.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name /security-role and my authentication is diverted to an action class which carries out the actual checking. Here is auth.jsp that calls the AuthAction html:form action=authAction TABLE width=100% border=0 cellspacing=0 cellpadding=5 TR align=center TD align=right class=Prompt/TD TD align=left html:text property=j_username maxlength=20/html:text /TD /TR TR align=center TD align=right class=PromptUsername/TD TD align=left html:text property=j_password maxlength=20/html:textBR /TD /TR TR align=center TD align=right class=PromptPassword/TD TD align=left html:submit value=Login/html:submit /TD /TR /TABLE /html:form the action class is here public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String username = ((DynaActionForm)form).getString(j_username); String password = ((DynaActionForm)form).getString(j_password); System.out.println(Authentication execute called); try { SecurityAssociationHandler handler = new SecurityAssociationHandler(); SimplePrincipal user = new SimplePrincipal(username); handler.setSecurityInfo(user, password.toCharArray()); LoginContext loginContext = new LoginContext(example, (CallbackHandler) handler); loginContext.login(); Subject subject = loginContext.getSubject(); System.out.println(Subject-- + subject.toString()); SetPrincipal principals = subject.getPrincipals(); principals.add(user); request.getSession(false).setAttribute(login,subject); } catch (LoginException e) { // TODO: handle exception System.out.println(LoginException); return mapping.findForward(error); } return mapping.findForward(father); } and it works fine. Each time a request comes to url /father/* the auth.jspis called, even if I was authorised the first time. Meaning I have to authenticate myself every time I acess anything in /father/ . how do i get over this behaviour and only authenticate my self only once... thnks for any help On 3/14/06, David Delbecq [EMAIL PROTECTED] wrote: Do it like you would for any servlet. Either apply a security constraint to struts servlet itself or apply security constraints to url path (applying a security constraint to /admin/* applies also to /admin/someStrutsAction.do) Jubin Kuriakose a écrit : Hi all Can ayone give me links related to implemnting security-contraints(from web.xml) and struts together. I googled without any success. thnx jubs - To
Re: struts security
oh... Supposing i did use j_security_check to authenticate. how do i check if the user is authenticated at a later stage and is it possible to programmitically remove his permission. thnx On 3/14/06, David Delbecq [EMAIL PROTECTED] wrote: Am sorry but that's not how form based authentification works in j2ee. We you are not authenticated, the container redirects your to form-login-page This page must contain a form with 2 fields : j_username and j_password. The form action MUST be of type POST and the target MUST be j_security_check (this is a special url that will be handled by container, you can not map any servlet there). example: form method=POST action=j_security_check table tr tdLogin :/td tdinput type=text name=j_username/td /tr tr tdMot de passe :/td tdinput type=password name=j_password/td /tr tr tdinput type=submit value=Entrer !/td tdinput type=reset value=Annuler/td /tr /table /form if you use any action other than j_security_check, this will be handled like any other url query, and no authentification will take place. The reason you are having father - login form - father apparently working, is simply because struts does a forward after action, which take place internally and so is not concerned about the security constraints. Jubin Kuriakose a écrit : Hi David I did do that ... security-constraint web-resource-collection web-resource-namefather/web-resource-name descriptionSecurity/description url-pattern/father/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/auth.do/form-login-page form-error-page/admin/error.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name /security-role and my authentication is diverted to an action class which carries out the actual checking. Here is auth.jsp that calls the AuthAction html:form action=authAction TABLE width=100% border=0 cellspacing=0 cellpadding=5 TR align=center TD align=right class=Prompt/TD TD align=left html:text property=j_username maxlength=20/html:text /TD /TR TR align=center TD align=right class=PromptUsername/TD TD align=left html:text property=j_password maxlength=20/html:textBR /TD /TR TR align=center TD align=right class=PromptPassword/TD TD align=left html:submit value=Login/html:submit /TD /TR /TABLE /html:form the action class is here public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String username = ((DynaActionForm)form).getString(j_username); String password = ((DynaActionForm)form).getString(j_password); System.out.println(Authentication execute called); try { SecurityAssociationHandler handler = new SecurityAssociationHandler(); SimplePrincipal user = new SimplePrincipal(username); handler.setSecurityInfo(user, password.toCharArray()); LoginContext loginContext = new LoginContext(example, (CallbackHandler) handler); loginContext.login(); Subject subject = loginContext.getSubject(); System.out.println(Subject-- + subject.toString()); SetPrincipal principals = subject.getPrincipals(); principals.add(user); request.getSession(false).setAttribute(login,subject); } catch (LoginException e) { // TODO: handle exception System.out.println(LoginException); return mapping.findForward(error); } return mapping.findForward(father); } and it works fine. Each time a request comes to url /father/* the auth.jspis called, even if I was authorised the first time. Meaning I have to authenticate myself every time I acess anything in /father/ . how do i get over this behaviour and only authenticate my self only once... thnks for any help On 3/14/06, David Delbecq [EMAIL PROTECTED] wrote: Do it like you would for any servlet. Either apply a security constraint to struts servlet itself or apply security constraints to url path
Re: struts security
Jubin Kuriakose a écrit : oh... Supposing i did use j_security_check to authenticate. how do i check if the user is authenticated at a later stage request.getUserPrincipal() returns a non-null value and is it possible to programmitically remove his permission. Not really. Once user has been authenticated it's written in his session. Some people have had success by clearing the user session, but this behaviour is container dependent as, unfortunatly, j2ee specs did not provide for such a mechanism. thnx On 3/14/06, David Delbecq [EMAIL PROTECTED] wrote: Am sorry but that's not how form based authentification works in j2ee. We you are not authenticated, the container redirects your to form-login-page This page must contain a form with 2 fields : j_username and j_password. The form action MUST be of type POST and the target MUST be j_security_check (this is a special url that will be handled by container, you can not map any servlet there). example: form method=POST action=j_security_check table tr tdLogin :/td tdinput type=text name=j_username/td /tr tr tdMot de passe :/td tdinput type=password name=j_password/td /tr tr tdinput type=submit value=Entrer !/td tdinput type=reset value=Annuler/td /tr /table /form if you use any action other than j_security_check, this will be handled like any other url query, and no authentification will take place. The reason you are having father - login form - father apparently working, is simply because struts does a forward after action, which take place internally and so is not concerned about the security constraints. Jubin Kuriakose a écrit : Hi David I did do that ... security-constraint web-resource-collection web-resource-namefather/web-resource-name descriptionSecurity/description url-pattern/father/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/auth.do/form-login-page form-error-page/admin/error.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name /security-role and my authentication is diverted to an action class which carries out the actual checking. Here is auth.jsp that calls the AuthAction html:form action=authAction TABLE width=100% border=0 cellspacing=0 cellpadding=5 TR align=center TD align=right class=Prompt/TD TD align=left html:text property=j_username maxlength=20/html:text /TD /TR TR align=center TD align=right class=PromptUsername/TD TD align=left html:text property=j_password maxlength=20/html:textBR /TD /TR TR align=center TD align=right class=PromptPassword/TD TD align=left html:submit value=Login/html:submit /TD /TR /TABLE /html:form the action class is here public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String username = ((DynaActionForm)form).getString(j_username); String password = ((DynaActionForm)form).getString(j_password); System.out.println(Authentication execute called); try { SecurityAssociationHandler handler = new SecurityAssociationHandler(); SimplePrincipal user = new SimplePrincipal(username); handler.setSecurityInfo(user, password.toCharArray()); LoginContext loginContext = new LoginContext(example, (CallbackHandler) handler); loginContext.login(); Subject subject = loginContext.getSubject(); System.out.println(Subject-- + subject.toString()); SetPrincipal principals = subject.getPrincipals(); principals.add(user); request.getSession(false).setAttribute(login,subject); } catch (LoginException e) { // TODO: handle exception System.out.println(LoginException); return mapping.findForward(error); } return mapping.findForward(father); } and it works fine. Each time a request comes to url /father/* the auth.jspis called, even if I was authorised the first time. Meaning I have to authenticate myself every time I acess anything in /father/ . how do i get over this behaviour and only authenticate my self only
Re: struts security
At first glance at your code it looks like you might need to add a role principal after you've added the user.. But on consideration i dont think that the user principal is going to be added to the session in such a way as you can get to the principal using request.getUserPrincipal() and is user in role business. If you want to do things the servlet spec way and you're intent on using jaas to do this then you're going to have to write a jaas login module that you configure in your container (e.g. tomcat). I dont think the sesssion attribute name is defined in the servlet spec, if i'm correct then session.setAttribute(keyName,Principal) isn't going to help you much. Each vendor (again i think from what i read) can implement the security as they see fit. The only thing they must to is provide a means of configuring realms and that a request that the matches j_security_check, j_username, j_password stuff. To be a compliant container when you make such a request the container must have a configuarable means of authenicating. Now where jaas comes into it is that jaas like the servlet spec is a standard, and thus vendor support is likely to be there. But not all realm authentification is jaas. In a lot of cases a datasource/jdbc realm that come with most containers will do the job. But if this isn't the case then it might be easier writing a jaas loginmodule and then wiring it into the container, along with the jaas configuartion that you need to define using the java.security.auth.login.config property.. If you're authenticating against a database, then dont get bogged down with jaas, and use the a datasource realm. Assuming you configure it correctly you'll have all the request.getUserPrincipal() and isUserInRole stuff to use in your webapp. http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html In most case you dont need jaas, if you're activating the security manager then you'd need to have a pretty good grasp of all this stuff. And from what i see not many folk bother with the security manager. I guess the question is what are you authenticating against? and which container are you using? Mark On 3/14/06, Jubin Kuriakose [EMAIL PROTECTED] wrote: Hi all Can ayone give me links related to implemnting security-contraints(from web.xml) and struts together. I googled without any success. thnx jubs - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
Cheers for all the advice. I have already implemented JDBCRealm but have decided to try out the SecurityFilter (as recommended) to see for myself what it is like and what additional features it offers. Unfortunatley I've had a few problems setting up the securityfilter... To start off with Tomcat always displayed the following message during startup: 'SEVERE: Error filterStart'. Following on from advice I recieved on the securityfilter help forum I tried adding Catalina.jar to Tomcat's classpath. This resulted in NoClassDefFoundError: org/apache/commons/digester/RuleSet, which I fixed by adding common-digester.jar to Tomcat's classpath. Now when I run Tomcat I get the following error: java.lang.NoClassDefFoundError: org/apache/tomcat/util/log/SystemLogHandler at java.lang.Class.getDeclaredConstructors0(Native Method) snip/ I've searched through a number of *.jar files on my machine and looked on Google, but can not find out which *.jar contains the SystemLogHandler class file. If anyone can tell me which files I need to add to the classpath, or indeed if it sounds like I've configured some part of my application incorrectly, then I'd really appreciate some of your input. Thank you in advance (once again), Tim Christopher - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts Security
Hi 1. It means that any authentication token will not be propagated to a J2EE EJB server. 2. When using the role attribute with tiles, it will pick up what you have defined in SecurityFilter Hermod -Original Message- From: Tim Christopher [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 11:05 AM To: Struts Users Mailing List Subject: Re: Struts Security Hi, I've never used EJB so have no idea what this means, can someone explain please? When SecurityFilter is used, a user's Principal will not automatically be propagated to EJB calls. If this is a requirement for your application, you may not be able to use SecurityFilter. Also, (as above) I'm using JDBCRealm to authenticate clients. I then have a tile which contains all the menu settings; I use the present roles to check for which features should be loaded How easy would it be to implement this using the SecurityFilter - does anyone know of a good tutorial? Cheers, Tim On Thu, 27 Jan 2005 08:25:14 +0100, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Take a look at SecurityFilter - http://securityfilter.sourceforge.net/ Works like a charm with Tomcat and JDBC realms. Then you do REAL declarative security - No coding needed. Hermod -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 6:31 AM To: user@struts.apache.org Subject: RE: Struts Security I think the logic:present tag will allow access to any of the roles mentioned. Mohan -Original Message- From: Tim Christopher [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 9:41 AM To: Struts Users Mailing List Subject: Re: Struts Security Just a quick question... What is gained by using code like this: String[] roles = mapping.getRoleNames(); if(roles == null || roles.length == 0) return true for(int i=0; iroles.length; i++) { if(request.isUserInRole(roles[i])) { return true; } } return false; ...isn't that the same as logic:present role=roleA, roleB, roleG? Or is that a check for all roles: roleA, roleB, and roleG? Tim On Wed, 26 Jan 2005 20:27:22 -0700, Nic Holbrook [EMAIL PROTECTED] wrote: I forgot to mention the reason I did this was because we already had a security mechanism in place and didn't have the liberty of using realms on the web or anything like that. It had to be a custom configuration. Nic Holbrook wrote: I kind of set our security up before the struts menu was in place. What I have done that seems to work well so far is extend the Action class with a SecureAction class that validates the users role before it lets the user into an action. The execute method actually validates and calls an abstract secureExecute (which is now the main struts method) if the user is in the role. I set a roleId in the struts-config.xml for each action which really isn't a big deal (set-property property=actionRole value=700/). That way the role is set up 1 time for each action. You can use the same role for several actions of you like. When the user logs in, I retrieve all the roles allowed for that user and store it in a UserContext object in the session. I then have a menu tag that dynamically builds the menu for them which isn't that difficult to set up. I use it in a tile so I only insert it 1 time. Just some ideas. Craig McClanahan wrote: On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher [EMAIL PROTECTED] wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat xml file to set the roles for each of the users, then extending the RequestProcessor to ensure only authorised users can enter the secure area. I then have a number of menu options that should only be made visible to users with certain roles; I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). The implementation of logic:present role= uses request.isUserInRole() under the covers :-). I guess what I'd like to know is: * Will this approach actually work? Yep. * Is there a better way? This sounds best for your use case. * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? Tomcat's JDBCRealm caches the relevant roles for a user when he or she logs on, so they won't change for the length of that session ... but changes will get reflected next time the same person logs on. * Also if I use a check
Re: Struts Security
Hi, I've never used EJB so have no idea what this means, can someone explain please? When SecurityFilter is used, a user's Principal will not automatically be propagated to EJB calls. If this is a requirement for your application, you may not be able to use SecurityFilter. Also, (as above) I'm using JDBCRealm to authenticate clients. I then have a tile which contains all the menu settings; I use the present roles to check for which features should be loaded How easy would it be to implement this using the SecurityFilter - does anyone know of a good tutorial? Cheers, Tim On Thu, 27 Jan 2005 08:25:14 +0100, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Take a look at SecurityFilter - http://securityfilter.sourceforge.net/ Works like a charm with Tomcat and JDBC realms. Then you do REAL declarative security - No coding needed. Hermod -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 6:31 AM To: user@struts.apache.org Subject: RE: Struts Security I think the logic:present tag will allow access to any of the roles mentioned. Mohan -Original Message- From: Tim Christopher [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 9:41 AM To: Struts Users Mailing List Subject: Re: Struts Security Just a quick question... What is gained by using code like this: String[] roles = mapping.getRoleNames(); if(roles == null || roles.length == 0) return true for(int i=0; iroles.length; i++) { if(request.isUserInRole(roles[i])) { return true; } } return false; ...isn't that the same as logic:present role=roleA, roleB, roleG? Or is that a check for all roles: roleA, roleB, and roleG? Tim On Wed, 26 Jan 2005 20:27:22 -0700, Nic Holbrook [EMAIL PROTECTED] wrote: I forgot to mention the reason I did this was because we already had a security mechanism in place and didn't have the liberty of using realms on the web or anything like that. It had to be a custom configuration. Nic Holbrook wrote: I kind of set our security up before the struts menu was in place. What I have done that seems to work well so far is extend the Action class with a SecureAction class that validates the users role before it lets the user into an action. The execute method actually validates and calls an abstract secureExecute (which is now the main struts method) if the user is in the role. I set a roleId in the struts-config.xml for each action which really isn't a big deal (set-property property=actionRole value=700/). That way the role is set up 1 time for each action. You can use the same role for several actions of you like. When the user logs in, I retrieve all the roles allowed for that user and store it in a UserContext object in the session. I then have a menu tag that dynamically builds the menu for them which isn't that difficult to set up. I use it in a tile so I only insert it 1 time. Just some ideas. Craig McClanahan wrote: On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher [EMAIL PROTECTED] wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat xml file to set the roles for each of the users, then extending the RequestProcessor to ensure only authorised users can enter the secure area. I then have a number of menu options that should only be made visible to users with certain roles; I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). The implementation of logic:present role= uses request.isUserInRole() under the covers :-). I guess what I'd like to know is: * Will this approach actually work? Yep. * Is there a better way? This sounds best for your use case. * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? Tomcat's JDBCRealm caches the relevant roles for a user when he or she logs on, so they won't change for the length of that session ... but changes will get reflected next time the same person logs on. * Also if I use a check within the jsp like logic:present role=.. to decide if a component should be dispalyed, I have read it is also advisable to require to presence of a role to use the Action. This method will require two updates to allow an additional an additional role to access a resource (update in the jsp, and in the xml file) - is there a way around this? You can
Re: Struts Security
At 10:05 AM + 1/27/05, Tim Christopher wrote: Hi, I've never used EJB so have no idea what this means, can someone explain please? When SecurityFilter is used, a user's Principal will not automatically be propagated to EJB calls. If this is a requirement for your application, you may not be able to use SecurityFilter. If you don't use EJB, then it's not an issue for you, but part of the appeal of container managed security is that it makes the same java.security.Principal (representing the authenticated user) available to both the servlet and the EJB layer code. I haven't used SecurityFilter before, but it looks handy. My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com Narrow minds are weapons made for mass destruction -The Ex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts Security
Joe - Your comment My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. struck a chord with me - it's one of the reasons I've never looked at implementing CMS. How do you handle this? Roll your own? Jerry Jalenak Senior Programmer / Analyst, Web Publishing LabOne, Inc. 10101 Renner Blvd. Lenexa, KS 66219 (913) 577-1496 [EMAIL PROTECTED] -Original Message- From: Joe Germuska [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 9:32 AM To: Tim Christopher; Struts Users Mailing List Subject: Re: Struts Security At 10:05 AM + 1/27/05, Tim Christopher wrote: Hi, I've never used EJB so have no idea what this means, can someone explain please? When SecurityFilter is used, a user's Principal will not automatically be propagated to EJB calls. If this is a requirement for your application, you may not be able to use SecurityFilter. If you don't use EJB, then it's not an issue for you, but part of the appeal of container managed security is that it makes the same java.security.Principal (representing the authenticated user) available to both the servlet and the EJB layer code. I haven't used SecurityFilter before, but it looks handy. My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com Narrow minds are weapons made for mass destruction -The Ex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This transmission (and any information attached to it) may be confidential and is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient or the person responsible for delivering the transmission to the intended recipient, be advised that you have received this transmission in error and that any use, dissemination, forwarding, printing, or copying of this information is strictly prohibited. If you have received this transmission in error, please immediately notify LabOne at the following email address: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts Security
Joe - Your comment My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. struck a chord with me - it's one of the reasons I've never looked at implementing CMS. How do you handle this? Roll your own? Jerry Jalenak Senior Programmer / Analyst, Web Publishing LabOne, Inc. 10101 Renner Blvd. Lenexa, KS 66219 (913) 577-1496 [EMAIL PROTECTED] -Original Message- From: Joe Germuska [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 9:32 AM To: Tim Christopher; Struts Users Mailing List Subject: Re: Struts Security At 10:05 AM + 1/27/05, Tim Christopher wrote: Hi, I've never used EJB so have no idea what this means, can someone explain please? When SecurityFilter is used, a user's Principal will not automatically be propagated to EJB calls. If this is a requirement for your application, you may not be able to use SecurityFilter. If you don't use EJB, then it's not an issue for you, but part of the appeal of container managed security is that it makes the same java.security.Principal (representing the authenticated user) available to both the servlet and the EJB layer code. I haven't used SecurityFilter before, but it looks handy. My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com Narrow minds are weapons made for mass destruction -The Ex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This transmission (and any information attached to it) may be confidential and is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient or the person responsible for delivering the transmission to the intended recipient, be advised that you have received this transmission in error and that any use, dissemination, forwarding, printing, or copying of this information is strictly prohibited. If you have received this transmission in error, please immediately notify LabOne at the following email address: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts Security
At 9:46 AM -0600 1/27/05, Jerry Jalenak wrote: Joe - Your comment My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. struck a chord with me - it's one of the reasons I've never looked at implementing CMS. How do you handle this? Roll your own? Yes; it's not too hard to come up with a simple user model, although obviously more sophisticated apps can be a headache to build from scratch. If you have some mechanism to get a user into the session, then it's not too hard to override the processRoles step in the request process to provide struts-config level declarative security comparable to what happens by default using container-managed security. I haven't had call to try to replicate the tag-library behavior. We usually have interfaces that are different enough based on role that it's just as well to have separate templates as to try to have one with a bunch of conditionals. There was a pretty good JDJ article about two years ago which laid out all the flaws of container based security -- besides the aforementioned no-user-initiated login, it's pretty hard to use container managed security on resources which don't *require* authentication, but behave differently after authentication. I never tried to use their implementation, and the Filter-nature of Security Filter makes it look like probably a better solution to the same problem. (Two years ago, we may not have been on Servlet 2.3 yet, but that's not an issue now...) Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com Narrow minds are weapons made for mass destruction -The Ex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
On Thu, 27 Jan 2005 11:02:35 -0600, Joe Germuska [EMAIL PROTECTED] wrote: At 9:46 AM -0600 1/27/05, Jerry Jalenak wrote: Joe - Your comment My main issue with Container Based auth is its inability to support user-initiated login -- it only works by intercepting a request for a normal resource and then challenging for login. struck a chord with me - it's one of the reasons I've never looked at implementing CMS. How do you handle this? Roll your own? Look at what appfuse does. Matt Raible has user initiated and remember me functionality with CMS. It's not really that complicated. Yes; it's not too hard to come up with a simple user model, although obviously more sophisticated apps can be a headache to build from scratch. If you have some mechanism to get a user into the session, then it's not too hard to override the processRoles step in the request process to provide struts-config level declarative security comparable to what happens by default using container-managed security. I haven't had call to try to replicate the tag-library behavior. We usually have interfaces that are different enough based on role that it's just as well to have separate templates as to try to have one with a bunch of conditionals. There was a pretty good JDJ article about two years ago which laid out all the flaws of container based security -- besides the aforementioned no-user-initiated login, it's pretty hard to use container managed security on resources which don't *require* authentication, but behave differently after authentication. I never tried to use their implementation, and the Filter-nature of Security Filter makes it look like probably a better solution to the same problem. (Two years ago, we may not have been on Servlet 2.3 yet, but that's not an issue now...) Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com Narrow minds are weapons made for mass destruction -The Ex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- James A Barrows - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts Security
Also see this article: http://www.javaworld.com/javaworld/jw-07-2004/jw-0726-security.html J2EE security: Container versus custom Choose the appropriate type of security for your application Summary This article covers the factors to consider when choosing between custom security and J2EE standard security, also known as container security. It briefly covers how each type of security works and then illustrates their differences, strengths, and weaknesses. Although J2EE security itself applies to all components of an enterprise application, this discussion's main focus is Web application security or, more specifically, authentication. (6,000 words; July 26, 2004) -- Notice: This e-mail message, together with any attachments, contains information of Merck Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp Dohme or MSD and in Japan, as Banyu) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
I kind of set our security up before the struts menu was in place. What I have done that seems to work well so far is extend the Action class with a SecureAction class that validates the users role before it lets the user into an action. The execute method actually validates and calls an abstract secureExecute (which is now the main struts method) if the user is in the role. I set a roleId in the struts-config.xml for each action which really isn't a big deal (set-property property=actionRole value=700/). That way the role is set up 1 time for each action. You can use the same role for several actions of you like. When the user logs in, I retrieve all the roles allowed for that user and store it in a UserContext object in the session. I then have a menu tag that dynamically builds the menu for them which isn't that difficult to set up. I use it in a tile so I only insert it 1 time. Just some ideas. Craig McClanahan wrote: On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher [EMAIL PROTECTED] wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat xml file to set the roles for each of the users, then extending the RequestProcessor to ensure only authorised users can enter the secure area. I then have a number of menu options that should only be made visible to users with certain roles; I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). The implementation of logic:present role= uses request.isUserInRole() under the covers :-). I guess what I'd like to know is: * Will this approach actually work? Yep. * Is there a better way? This sounds best for your use case. * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? Tomcat's JDBCRealm caches the relevant roles for a user when he or she logs on, so they won't change for the length of that session ... but changes will get reflected next time the same person logs on. * Also if I use a check within the jsp like logic:present role=.. to decide if a component should be dispalyed, I have read it is also advisable to require to presence of a role to use the Action. This method will require two updates to allow an additional an additional role to access a resource (update in the jsp, and in the xml file) - is there a way around this? You can prohibit direct access to JSP pages (requiring that they go through an Action first) and only need to configure the XML file to limit access to a complete page. But you'll still need the inner logic if you want to do things differently, based on role, within a page. Thank you in advance, Tim Christopher Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
I forgot to mention the reason I did this was because we already had a security mechanism in place and didn't have the liberty of using realms on the web or anything like that. It had to be a custom configuration. Nic Holbrook wrote: I kind of set our security up before the struts menu was in place. What I have done that seems to work well so far is extend the Action class with a SecureAction class that validates the users role before it lets the user into an action. The execute method actually validates and calls an abstract secureExecute (which is now the main struts method) if the user is in the role. I set a roleId in the struts-config.xml for each action which really isn't a big deal (set-property property=actionRole value=700/). That way the role is set up 1 time for each action. You can use the same role for several actions of you like. When the user logs in, I retrieve all the roles allowed for that user and store it in a UserContext object in the session. I then have a menu tag that dynamically builds the menu for them which isn't that difficult to set up. I use it in a tile so I only insert it 1 time. Just some ideas. Craig McClanahan wrote: On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher [EMAIL PROTECTED] wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat xml file to set the roles for each of the users, then extending the RequestProcessor to ensure only authorised users can enter the secure area. I then have a number of menu options that should only be made visible to users with certain roles; I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). The implementation of logic:present role= uses request.isUserInRole() under the covers :-). I guess what I'd like to know is: * Will this approach actually work? Yep. * Is there a better way? This sounds best for your use case. * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? Tomcat's JDBCRealm caches the relevant roles for a user when he or she logs on, so they won't change for the length of that session ... but changes will get reflected next time the same person logs on. * Also if I use a check within the jsp like logic:present role=.. to decide if a component should be dispalyed, I have read it is also advisable to require to presence of a role to use the Action. This method will require two updates to allow an additional an additional role to access a resource (update in the jsp, and in the xml file) - is there a way around this? You can prohibit direct access to JSP pages (requiring that they go through an Action first) and only need to configure the XML file to limit access to a complete page. But you'll still need the inner logic if you want to do things differently, based on role, within a page. Thank you in advance, Tim Christopher Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
Just a quick question... What is gained by using code like this: String[] roles = mapping.getRoleNames(); if(roles == null || roles.length == 0) return true for(int i=0; iroles.length; i++) { if(request.isUserInRole(roles[i])) { return true; } } return false; ...isn't that the same as logic:present role=roleA, roleB, roleG? Or is that a check for all roles: roleA, roleB, and roleG? Tim On Wed, 26 Jan 2005 20:27:22 -0700, Nic Holbrook [EMAIL PROTECTED] wrote: I forgot to mention the reason I did this was because we already had a security mechanism in place and didn't have the liberty of using realms on the web or anything like that. It had to be a custom configuration. Nic Holbrook wrote: I kind of set our security up before the struts menu was in place. What I have done that seems to work well so far is extend the Action class with a SecureAction class that validates the users role before it lets the user into an action. The execute method actually validates and calls an abstract secureExecute (which is now the main struts method) if the user is in the role. I set a roleId in the struts-config.xml for each action which really isn't a big deal (set-property property=actionRole value=700/). That way the role is set up 1 time for each action. You can use the same role for several actions of you like. When the user logs in, I retrieve all the roles allowed for that user and store it in a UserContext object in the session. I then have a menu tag that dynamically builds the menu for them which isn't that difficult to set up. I use it in a tile so I only insert it 1 time. Just some ideas. Craig McClanahan wrote: On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher [EMAIL PROTECTED] wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat xml file to set the roles for each of the users, then extending the RequestProcessor to ensure only authorised users can enter the secure area. I then have a number of menu options that should only be made visible to users with certain roles; I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). The implementation of logic:present role= uses request.isUserInRole() under the covers :-). I guess what I'd like to know is: * Will this approach actually work? Yep. * Is there a better way? This sounds best for your use case. * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? Tomcat's JDBCRealm caches the relevant roles for a user when he or she logs on, so they won't change for the length of that session ... but changes will get reflected next time the same person logs on. * Also if I use a check within the jsp like logic:present role=.. to decide if a component should be dispalyed, I have read it is also advisable to require to presence of a role to use the Action. This method will require two updates to allow an additional an additional role to access a resource (update in the jsp, and in the xml file) - is there a way around this? You can prohibit direct access to JSP pages (requiring that they go through an Action first) and only need to configure the XML file to limit access to a complete page. But you'll still need the inner logic if you want to do things differently, based on role, within a page. Thank you in advance, Tim Christopher Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts Security
I think the logic:present tag will allow access to any of the roles mentioned. Mohan -Original Message- From: Tim Christopher [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 9:41 AM To: Struts Users Mailing List Subject: Re: Struts Security Just a quick question... What is gained by using code like this: String[] roles = mapping.getRoleNames(); if(roles == null || roles.length == 0) return true for(int i=0; iroles.length; i++) { if(request.isUserInRole(roles[i])) { return true; } } return false; ...isn't that the same as logic:present role=roleA, roleB, roleG? Or is that a check for all roles: roleA, roleB, and roleG? Tim On Wed, 26 Jan 2005 20:27:22 -0700, Nic Holbrook [EMAIL PROTECTED] wrote: I forgot to mention the reason I did this was because we already had a security mechanism in place and didn't have the liberty of using realms on the web or anything like that. It had to be a custom configuration. Nic Holbrook wrote: I kind of set our security up before the struts menu was in place. What I have done that seems to work well so far is extend the Action class with a SecureAction class that validates the users role before it lets the user into an action. The execute method actually validates and calls an abstract secureExecute (which is now the main struts method) if the user is in the role. I set a roleId in the struts-config.xml for each action which really isn't a big deal (set-property property=actionRole value=700/). That way the role is set up 1 time for each action. You can use the same role for several actions of you like. When the user logs in, I retrieve all the roles allowed for that user and store it in a UserContext object in the session. I then have a menu tag that dynamically builds the menu for them which isn't that difficult to set up. I use it in a tile so I only insert it 1 time. Just some ideas. Craig McClanahan wrote: On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher [EMAIL PROTECTED] wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat xml file to set the roles for each of the users, then extending the RequestProcessor to ensure only authorised users can enter the secure area. I then have a number of menu options that should only be made visible to users with certain roles; I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). The implementation of logic:present role= uses request.isUserInRole() under the covers :-). I guess what I'd like to know is: * Will this approach actually work? Yep. * Is there a better way? This sounds best for your use case. * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? Tomcat's JDBCRealm caches the relevant roles for a user when he or she logs on, so they won't change for the length of that session ... but changes will get reflected next time the same person logs on. * Also if I use a check within the jsp like logic:present role=.. to decide if a component should be dispalyed, I have read it is also advisable to require to presence of a role to use the Action. This method will require two updates to allow an additional an additional role to access a resource (update in the jsp, and in the xml file) - is there a way around this? You can prohibit direct access to JSP pages (requiring that they go through an Action first) and only need to configure the XML file to limit access to a complete page. But you'll still need the inner logic if you want to do things differently, based on role, within a page. Thank you in advance, Tim Christopher Craig --- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is for the designated recipient only and may contain privileged, proprietary
RE: Struts Security
Hi Take a look at SecurityFilter - http://securityfilter.sourceforge.net/ Works like a charm with Tomcat and JDBC realms. Then you do REAL declarative security - No coding needed. Hermod -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 6:31 AM To: user@struts.apache.org Subject: RE: Struts Security I think the logic:present tag will allow access to any of the roles mentioned. Mohan -Original Message- From: Tim Christopher [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 9:41 AM To: Struts Users Mailing List Subject: Re: Struts Security Just a quick question... What is gained by using code like this: String[] roles = mapping.getRoleNames(); if(roles == null || roles.length == 0) return true for(int i=0; iroles.length; i++) { if(request.isUserInRole(roles[i])) { return true; } } return false; ...isn't that the same as logic:present role=roleA, roleB, roleG? Or is that a check for all roles: roleA, roleB, and roleG? Tim On Wed, 26 Jan 2005 20:27:22 -0700, Nic Holbrook [EMAIL PROTECTED] wrote: I forgot to mention the reason I did this was because we already had a security mechanism in place and didn't have the liberty of using realms on the web or anything like that. It had to be a custom configuration. Nic Holbrook wrote: I kind of set our security up before the struts menu was in place. What I have done that seems to work well so far is extend the Action class with a SecureAction class that validates the users role before it lets the user into an action. The execute method actually validates and calls an abstract secureExecute (which is now the main struts method) if the user is in the role. I set a roleId in the struts-config.xml for each action which really isn't a big deal (set-property property=actionRole value=700/). That way the role is set up 1 time for each action. You can use the same role for several actions of you like. When the user logs in, I retrieve all the roles allowed for that user and store it in a UserContext object in the session. I then have a menu tag that dynamically builds the menu for them which isn't that difficult to set up. I use it in a tile so I only insert it 1 time. Just some ideas. Craig McClanahan wrote: On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher [EMAIL PROTECTED] wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat xml file to set the roles for each of the users, then extending the RequestProcessor to ensure only authorised users can enter the secure area. I then have a number of menu options that should only be made visible to users with certain roles; I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). The implementation of logic:present role= uses request.isUserInRole() under the covers :-). I guess what I'd like to know is: * Will this approach actually work? Yep. * Is there a better way? This sounds best for your use case. * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? Tomcat's JDBCRealm caches the relevant roles for a user when he or she logs on, so they won't change for the length of that session ... but changes will get reflected next time the same person logs on. * Also if I use a check within the jsp like logic:present role=.. to decide if a component should be dispalyed, I have read it is also advisable to require to presence of a role to use the Action. This method will require two updates to allow an additional an additional role to access a resource (update in the jsp, and in the xml file) - is there a way around this? You can prohibit direct access to JSP pages (requiring that they go through an Action first) and only need to configure the XML file to limit access to a complete page. But you'll still need the inner logic if you want to do things differently, based on role, within a page. Thank you in advance, Tim Christopher Craig --- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: Struts Security
Tim Christopher wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat Sounds good xml file to set the roles for each of the users, You set it in DB not in XML. then extending the RequestProcessor to ensure only authorised users can enter the secure area. You don't need to do that. I then have a number of menu options that should only be made visible to users with certain roles; Try Struts menu. hth, .V I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). I guess what I'd like to know is: * Will this approach actually work? * Is there a better way? * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? * Also if I use a check within the jsp like logic:present role=.. to decide if a component should be dispalyed, I have read it is also advisable to require to presence of a role to use the Action. This method will require two updates to allow an additional an additional role to access a resource (update in the jsp, and in the xml file) - is there a way around this? Thank you in advance, Tim Christopher -- RiA-SoA w/JDNC http://www.SandraSF.com forums - help develop a community My blog http://www.sandrasf.com/adminBlog - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
On Sun, 23 Jan 2005 18:39:50 +, Tim Christopher [EMAIL PROTECTED] wrote: Hi, I am designing a web application using Struts, which will run using Tomcat. The system will have upwards of 1000 users, with each user having any number of around 10 possible roles. I'm currently thinking of using JDBCRealm within the Tomcat xml file to set the roles for each of the users, then extending the RequestProcessor to ensure only authorised users can enter the secure area. I then have a number of menu options that should only be made visible to users with certain roles; I intend to use logic:present role=.. or req:isUserInRole role=... to do this - from what I can see they are functionally identical(?). The implementation of logic:present role= uses request.isUserInRole() under the covers :-). I guess what I'd like to know is: * Will this approach actually work? Yep. * Is there a better way? This sounds best for your use case. * Will any changes to user roles made within the database automatically update the roles that tomcat uses from the JDBCRealm, or will it require a server restart? Tomcat's JDBCRealm caches the relevant roles for a user when he or she logs on, so they won't change for the length of that session ... but changes will get reflected next time the same person logs on. * Also if I use a check within the jsp like logic:present role=.. to decide if a component should be dispalyed, I have read it is also advisable to require to presence of a role to use the Action. This method will require two updates to allow an additional an additional role to access a resource (update in the jsp, and in the xml file) - is there a way around this? You can prohibit direct access to JSP pages (requiring that they go through an Action first) and only need to configure the XML file to limit access to a complete page. But you'll still need the inner logic if you want to do things differently, based on role, within a page. Thank you in advance, Tim Christopher Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
I then have a number of menu options that should only be made visible to users with certain roles; Try Struts menu. I have looked at the Struts Menu ( http://struts-menu.sourceforge.net/ ) and I think I'll probably give it a go! Does anyone else here have any experience using the Struts Menu, and if so what did you think of it?... And would you recommend it? :o) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
On Wed, 19 Jan 2005 21:54:48 +0900, Sylvain ~ [EMAIL PROTECTED] wrote: I'm working on a simple application which requires very simple security as given there is only 3 kind of users : anonymous, users and admin. For portability issues, I don't want to use Tomcat's security system. Please explain that logic. AFAIK, tomcat's security system follows the specification for container managed security. The only deviation is in the implementation of Realms which are outside of the servlet specification, and would not be part of your web application anyway. Larry - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
In part for the reason you specified, where the response has already been committed in tiles, I prefer to move that kind of logic back into the pre-view stages of request processing. In Struts 1.2.x, you could extend the TilesRequestProcessor and change the implementation of processRoles so that it handles security the way you prefer, before the action's execute method is ever called (and actually before the form is populated as well). http://struts.apache.org/api/org/apache/struts/action/RequestProcessor.html#processRoles(javax.servlet.http.HttpServletRequest,%20javax.servlet.http.HttpServletResponse,%20org.apache.struts.action.ActionMapping) In Struts 1.3, the default RequestProcessor will use a chain of commands, and in this case, you would replace the AuthorizeAction command from the chain with one of your own. It is possible to implement this in Struts 1.2.x using the struts-chain library, but since that library was never released on its own, it's a small amount of work just to get the code. Hopefully sometime in the next couple of weeks we'll have a stable SVN version of Struts 1.3.x which uses a modified form of the chain processing, but I couldn't say when that would be ready for a production release. Joe At 9:54 PM +0900 1/19/05, Sylvain ~ wrote: I'm working on a simple application which requires very simple security as given there is only 3 kind of users : anonymous, users and admin. For portability issues, I don't want to use Tomcat's security system. I think using JAAS or securityFilter for a such simple application would create more problems than it would solve, so I firstly decided to implement a security feature with a jsp tag that I'll include in my webpages. The tag is similar to the one provided as an example of struts : checkLogon It was working well with the firsts drafts of my application, but since I use Tiles I can't perform any redirect with this tag, I just get a blank page where the protected page should take place. The page access is protected well, but what should I do if I want to have a 403 page instead of just displaying the page ? Any Idea would be appreciated. Sylvain. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com Narrow minds are weapons made for mass destruction -The Ex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts Security
On Wed, 19 Jan 2005 21:54:48 +0900, Sylvain ~ [EMAIL PROTECTED] wrote: I'm working on a simple application which requires very simple security as given there is only 3 kind of users : anonymous, users and admin. For portability issues, I don't want to use Tomcat's security system. Tomcat doesn't have a tomcat specific security mechanism. They use the one specified by the JSP/Servlet spec. I think using JAAS or securityFilter for a such simple application would create more problems than it would solve, so I firstly decided to implement a security feature with a jsp tag that I'll include in my webpages. Not really, as you found out putting pages together is a bit tricky. Security filter is much easier, and using the JSP/Servlet security even easier. JAAS is usually wrapped by a Security Filter, and Tomcat has a JAAS plugin to implement the standard security. The tag is similar to the one provided as an example of struts : checkLogon It was working well with the firsts drafts of my application, but since I use Tiles I can't perform any redirect with this tag, I just get a blank page where the protected page should take place. The page access is protected well, but what should I do if I want to have a 403 page instead of just displaying the page ? Any Idea would be appreciated. Sylvain. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams [EMAIL PROTECTED] wrote: Hello all, I'm in the process of trying to secure my struts application against Cross site scripting, SQL injection style attacks. One of the things I'm doing to prevent this is trying to restrict special characters (;.(){}...etc) getting beyond the validator. At the moment I'm using the validator plugin, within my validation.xml I use the mask validator with the regular expression; .. var-namemask/var-name var-value^[^;'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$/var-value .. 1. Does anyone know the syntax for also preventingwithin the regular expression bearing in mind its declared in XML? In your regexp, you can specifyentities as lt; and gt; respectively. Or is there some kind of default validator that does this? 2. Some of my action functions also take input in the url as a GET which does not go through the Validator, this is then used to access a DB, these also need to be secured. Obviously I can do this within each individual Action class, but where would be the best single place I could stop characters like ; ever getting as far as the Action classes? 1) You can use a strategy similar to the one described in the below url http://wiki.apache.org/struts/StrutsCatalogBaseAction OR 2) You can also define a custom RequestProcessor and override processPreprocess(HttpServletRequest request, HttpServletResponse response). Any other suggestions would be much appreciated, as I couldn't find very much related to securing struts applications many thanks in advance regards James Kishore Senji. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
-Original Message- From: James Adams [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 6:45 AM To: Struts Users Mailing List Subject: Struts security/validation Hello all, I'm in the process of trying to secure my struts application against Cross site scripting, SQL injection style attacks. One of the things I'm doing to prevent this is trying to restrict special characters (;.(){}...etc) getting beyond Semicolon and period are perflecty legitimate for a textarea input. I use a filter, that goes through the parameters looking for select.*from.* for a quick check, then do a second more detailed look before rejecting for a security violation. I do the same thing for insert and update as well, as seperate checks, which gives me some idea how far into the attack they've gotten. I would also do the same thing for a cross site scripting attack, if I had a check for it.. actually look for keywords before flagging antyhing. Since I do a lot of internal web apps, I'm not as concerned about this as I would be if I had external sites. the validator. At the moment I'm using the validator plugin, within my validation.xml I use the mask validator with the regular expression; . var-namemask/var-name var-value^[^;'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$/var-value . 1. Does anyone know the syntax for also preventing within the regular expression bearing in mind its declared in XML? Or is there some kind of default validator that does this? 2. Some of my action functions also take input in the url as a GET which does not go through the Validator, this is then used to access a DB, these also need to be secured. Obviously I can do this within each individual Action class, but where would be the best single place I could stop characters like ; ever getting as far as the Action classes? Any other suggestions would be much appreciated, as I couldn't find very much related to securing struts applications many thanks in advance regards James - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams [EMAIL PROTECTED] wrote: Hello all, I'm in the process of trying to secure my struts application against Cross site scripting, SQL injection style attacks. One of the things I'm doing to prevent this is trying to restrict special characters (;.(){}...etc) getting beyond the validator. Just thinking out loud for a moment ... Cross site scripting attacks don't happen when sensitive characters are inside an *input* field. The problem comes if you *output* the data without filtering for them. That's why the Struts bean:write tag, for example, filters , , , and ; for you unless you explicitly tell it not to, so if you are diligent about how you copy your database data to output pages, you can safely accept these kinds of character in input. I notice that Kishore Senji (one of the other respondents in this thread) is using Google's Gmail, just as I am at the moment. Since this is a web application, it's a good thing that Googe isn't disallowing the magic characters on input into a textarea, or else we would not be able to participate in this conversation :-). Is filtering input really the appropriate strategy for dealing with this problem? If successful it will certainly help, but the approach strikes me as overly restrictive for most application needs. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
-Original Message- From: Craig McClanahan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:21 AM To: Struts Users Mailing List Subject: Re: Struts security/validation On Wed, 11 Aug 2004 14:45:05 +0100, James Adams [EMAIL PROTECTED] wrote: Hello all, I'm in the process of trying to secure my struts application against Cross site scripting, SQL injection style attacks. One of the things I'm doing to prevent this is trying to restrict special characters (;.(){}...etc) getting beyond the validator. Just thinking out loud for a moment ... Cross site scripting attacks don't happen when sensitive characters are inside an *input* field. The problem comes if you *output* the data without filtering for them. That's why the Struts bean:write tag, for example, filters , , , and ; for you unless you explicitly tell it not to, so if you are diligent about how you copy your database data to output pages, you can safely accept these kinds of character in input. I notice that Kishore Senji (one of the other respondents in this thread) is using Google's Gmail, just as I am at the moment. Since this is a web application, it's a good thing that Googe isn't disallowing the magic characters on input into a textarea, or else we would not be able to participate in this conversation :-). Is filtering input really the appropriate strategy for dealing with this problem? If successful it will certainly help, but the approach strikes me as overly restrictive for most application needs. It can be appropriate, you might eventually need to turn off that filtering. It may be possible to legitametley allow such characters. The immediate example I can think of is content management. You could jump through hoops ( ex. Wiki's) to not use html to mark up the input but why? If you do it on input, you definitiely need more then just grepping on characters, you need to look at what the content is. Looking for a javascript tag is good. Maybe running the input through a javascript parser is even better. Lots of ways to do it. The best reason for doing it on input, is SQL injection and Cross Site Scripting attacks are bad data. Bad data should not make into the datbase. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? For SQL destined test, I disallow \ and '. For XML destined text, I disallow , , , \, and . Wiebe de Jong -Original Message- From: Craig McClanahan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:21 AM To: Struts Users Mailing List Subject: Re: Struts security/validation On Wed, 11 Aug 2004 14:45:05 +0100, James Adams [EMAIL PROTECTED] wrote: Hello all, I'm in the process of trying to secure my struts application against Cross site scripting, SQL injection style attacks. One of the things I'm doing to prevent this is trying to restrict special characters (;.(){}...etc) getting beyond the validator. Just thinking out loud for a moment ... Cross site scripting attacks don't happen when sensitive characters are inside an *input* field. The problem comes if you *output* the data without filtering for them. That's why the Struts bean:write tag, for example, filters , , , and ; for you unless you explicitly tell it not to, so if you are diligent about how you copy your database data to output pages, you can safely accept these kinds of character in input. I notice that Kishore Senji (one of the other respondents in this thread) is using Google's Gmail, just as I am at the moment. Since this is a web application, it's a good thing that Googe isn't disallowing the magic characters on input into a textarea, or else we would not be able to participate in this conversation :-). Is filtering input really the appropriate strategy for dealing with this problem? If successful it will certainly help, but the approach strikes me as overly restrictive for most application needs. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
-Original Message- From: Wiebe de Jong [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:32 AM To: 'Struts Users Mailing List' Subject: RE: Struts security/validation I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? I'd change them to their HTML equivalents.. however I've found that using the prepared sql statements eliminates the interpretation problem you've outlined. For SQL destined test, I disallow \ and '. For XML destined text, I disallow , , , \, and . Wiebe de Jong -Original Message- From: Craig McClanahan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:21 AM To: Struts Users Mailing List Subject: Re: Struts security/validation On Wed, 11 Aug 2004 14:45:05 +0100, James Adams [EMAIL PROTECTED] wrote: Hello all, I'm in the process of trying to secure my struts application against Cross site scripting, SQL injection style attacks. One of the things I'm doing to prevent this is trying to restrict special characters (;.(){}...etc) getting beyond the validator. Just thinking out loud for a moment ... Cross site scripting attacks don't happen when sensitive characters are inside an *input* field. The problem comes if you *output* the data without filtering for them. That's why the Struts bean:write tag, for example, filters , , , and ; for you unless you explicitly tell it not to, so if you are diligent about how you copy your database data to output pages, you can safely accept these kinds of character in input. I notice that Kishore Senji (one of the other respondents in this thread) is using Google's Gmail, just as I am at the moment. Since this is a web application, it's a good thing that Googe isn't disallowing the magic characters on input into a textarea, or else we would not be able to participate in this conversation :-). Is filtering input really the appropriate strategy for dealing with this problem? If successful it will certainly help, but the approach strikes me as overly restrictive for most application needs. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong [EMAIL PROTECTED] wrote: I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I hope you never have a customer named O'Reilly :-). I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? For SQL destined test, I disallow \ and '. If I'm doing the SQL myself, I always use prepared statements: String streetAddress = ...; // String may have \ and ' characters in it PreparedStatement stmt = conn.prepareStatement (UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?); stmt.setString(1, streetAddress); stmt.setInt(2, custId); stmt.executeUpdate(); and let the JDBC driver take care of getting the sensitive characters escaped as needed. (Of course, if you're using a persistence tier abstraction like EJB or JDO or JDBC RowSets or Hibernate or iBatis et. al., you don't need to worry about any of this -- it all happens automatically for you.) For XML destined text, I disallow , , , \, and . For XML, I use one of several strategies depending on the detailed situation: * Recognize that XML allows either or ' as attribute delimiters, so if a string includes one kind, just use the other. * Write or use an XML serializer that translates to amp; and so on for me. * If the XML I am writing is actually markup on a page, use JSF components ... JSF includes APIs that do all the escaping for you. Wiebe de Jong Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
Oracle sql insert needs to escape apostrophes so that you can insert apostrophes. So in your case you may need a utility method to convert all your text containing apostrophes to some thing like ''. Example: If your user enters I like he's idea, when inserting to data base you need to convert it to be l like he''s idea. Hope this helps. -Original Message- From: Wiebe de Jong [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 1:32 PM To: 'Struts Users Mailing List' Subject: RE: Struts security/validation I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? For SQL destined test, I disallow \ and '. For XML destined text, I disallow , , , \, and . Wiebe de Jong -Original Message- From: Craig McClanahan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:21 AM To: Struts Users Mailing List Subject: Re: Struts security/validation On Wed, 11 Aug 2004 14:45:05 +0100, James Adams [EMAIL PROTECTED] wrote: Hello all, I'm in the process of trying to secure my struts application against Cross site scripting, SQL injection style attacks. One of the things I'm doing to prevent this is trying to restrict special characters (;.(){}...etc) getting beyond the validator. Just thinking out loud for a moment ... Cross site scripting attacks don't happen when sensitive characters are inside an *input* field. The problem comes if you *output* the data without filtering for them. That's why the Struts bean:write tag, for example, filters , , , and ; for you unless you explicitly tell it not to, so if you are diligent about how you copy your database data to output pages, you can safely accept these kinds of character in input. I notice that Kishore Senji (one of the other respondents in this thread) is using Google's Gmail, just as I am at the moment. Since this is a web application, it's a good thing that Googe isn't disallowing the magic characters on input into a textarea, or else we would not be able to participate in this conversation :-). Is filtering input really the appropriate strategy for dealing with this problem? If successful it will certainly help, but the approach strikes me as overly restrictive for most application needs. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
Craig, both you and Jim suggested that I make use of prepared statements. I implemented my SQL using strings because it is easier to tweak during the development phase. Now that the project is in maintenance, moving to prepared statements is a good idea. Probably help a bit in performance as well. As for the XML/SOAP calls, using the serializer to create the character entities would be good. Thanks Wiebe de Jong -Original Message- From: Craig McClanahan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:50 AM To: Struts Users Mailing List Subject: Re: Struts security/validation On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong [EMAIL PROTECTED] wrote: I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I hope you never have a customer named O'Reilly :-). I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? For SQL destined test, I disallow \ and '. If I'm doing the SQL myself, I always use prepared statements: String streetAddress = ...; // String may have \ and ' characters in it PreparedStatement stmt = conn.prepareStatement (UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?); stmt.setString(1, streetAddress); stmt.setInt(2, custId); stmt.executeUpdate(); and let the JDBC driver take care of getting the sensitive characters escaped as needed. (Of course, if you're using a persistence tier abstraction like EJB or JDO or JDBC RowSets or Hibernate or iBatis et. al., you don't need to worry about any of this -- it all happens automatically for you.) For XML destined text, I disallow , , , \, and . For XML, I use one of several strategies depending on the detailed situation: * Recognize that XML allows either or ' as attribute delimiters, so if a string includes one kind, just use the other. * Write or use an XML serializer that translates to amp; and so on for me. * If the XML I am writing is actually markup on a page, use JSF components ... JSF includes APIs that do all the escaping for you. Wiebe de Jong Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
Jakarta commons lang String Escape Utils has a set of utility methods for escaping xml, html, sql, java, javascript ... http://jakarta.apache.org/commons/lang/apidocs/org/apache/commons/lang/StringEscapeUtils.html Kishore Senji. On Wed, 11 Aug 2004 10:41:13 -0700, Jim Barrows [EMAIL PROTECTED] wrote: -Original Message- From: Wiebe de Jong [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:32 AM To: 'Struts Users Mailing List' Subject: RE: Struts security/validation I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? I'd change them to their HTML equivalents.. however I've found that using the prepared sql statements eliminates the interpretation problem you've outlined. For SQL destined test, I disallow \ and '. For XML destined text, I disallow , , , \, and . Wiebe de Jong -Original Message- From: Craig McClanahan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:21 AM To: Struts Users Mailing List Subject: Re: Struts security/validation On Wed, 11 Aug 2004 14:45:05 +0100, James Adams [EMAIL PROTECTED] wrote: Hello all, I'm in the process of trying to secure my struts application against Cross site scripting, SQL injection style attacks. One of the things I'm doing to prevent this is trying to restrict special characters (;.(){}...etc) getting beyond the validator. Just thinking out loud for a moment ... Cross site scripting attacks don't happen when sensitive characters are inside an *input* field. The problem comes if you *output* the data without filtering for them. That's why the Struts bean:write tag, for example, filters , , , and ; for you unless you explicitly tell it not to, so if you are diligent about how you copy your database data to output pages, you can safely accept these kinds of character in input. I notice that Kishore Senji (one of the other respondents in this thread) is using Google's Gmail, just as I am at the moment. Since this is a web application, it's a good thing that Googe isn't disallowing the magic characters on input into a textarea, or else we would not be able to participate in this conversation :-). Is filtering input really the appropriate strategy for dealing with this problem? If successful it will certainly help, but the approach strikes me as overly restrictive for most application needs. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
Craig McClanahan wrote: On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong [EMAIL PROTECTED] wrote: I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I hope you never have a customer named O'Reilly :-). I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? For SQL destined test, I disallow \ and '. If I'm doing the SQL myself, I always use prepared statements: Absolutely. PreparedStatement is always the way to go, depending on the database you'll get a couple of performance gains also. String streetAddress = ...; // String may have \ and ' characters in it PreparedStatement stmt = conn.prepareStatement (UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?); stmt.setString(1, streetAddress); stmt.setInt(2, custId); stmt.executeUpdate(); and let the JDBC driver take care of getting the sensitive characters escaped as needed. In fact the drivers should not (again implementation specific) need to do any escaping, the statement and data are seperate entities. The statement will still contain ? (or equivalent) in the rdbms. Brett - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]