subject:"role based actions"

Re: Single Signon (was role based actions)

2001-12-31 Thread Dr. BaTien Duong


Yes, I am interested in exploring open souce solution for single SignOn.

I am watching Liberty Alliance, while internally develop solution based on
JAAS, OpenLDAP, and Kerberos.

BaTien

- Original Message -
From: "Sandra Cann" <[EMAIL PROTECTED]>
To: "Struts Developers List" <[EMAIL PROTECTED]>
Sent: Monday, December 31, 2001 10:09 AM
Subject: Single Signon (was role based actions)


> Batien et al,
>
> I wonder if members of this list would be interested in collaborating with
> the Expresso community on single sign-on features via our opensource
> listserv or the Expresso Users Forum (Single Sign-on topic).
>
> The following document url is a summation of a detailed discussion on
single
> sign on from our open source listserv which you might find interesting
since
> Expresso utilizes Struts. (There is also a link to the open source
archives
> on the home page.)
>
> http://www.jcorporate.com/econtent/Content.do?state=resource&resource=615
> (you will need to be registered at www.jcorporate.com and login to view).
>
> cheers
> Sandra
>
> > -Original Message-
> > From: Dr. BaTien Duong [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, December 11, 2001 7:53 PM
> > To: Struts Developers List
> > Subject: Re: role based actions
> >
> >
> > Brandon:
> >
> > I am interested in your code as we are working on Struts, ldap, and Java
> > single SignOn technology.
> >
> > [EMAIL PROTECTED]
> >
> > - Original Message -
> > From: "Phase Communcations" <[EMAIL PROTECTED]>
> > To: "Struts Developers List" <[EMAIL PROTECTED]>
> > Sent: Tuesday, December 11, 2001 4:43 PM
> > Subject: RE: role based actions
> >
> >
> > > One last thing. When a security check happens and the user is
> > forwarded to
> > > the login. Their desired destination is stored and once their
> > security is
> > > verified they are forwarded on to that page.
> > >
> > > -Original Message-
> > > From: Phase Communcations [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, December 11, 2001 4:40 PM
> > > To: Struts Developers List
> > > Subject: RE: role based actions
> > >
> > >
> > > In my code I extended the action class (not the action servlet) and
> > required
> > > that group access be established on a per extended action class basis.
> > >
> > > Defined within my struts-config file in my action class
> > definitions I use
> > an
> > > extra attribute(s):
> > >
> > > 
> > >
> > > There is a security check within the extended action class that uses
an
> > > extended ActionMapping to retrieve the "group" property and checks it
> > > against the users information (in a database). If the user
> > belongs to the
> > > proper group or one of the groups defined then it allows them access
to
> > that
> > > action/area with their assigned role and permissions. If the security
> > check
> > > fails, they are routed to a login page.
> > >
> > > The other thing that it does is it stores role and permission
> > information
> > in
> > > a bean so that security information can be used to define the view as
> > well.
> > >
> > > I opted out of the container managed security because I was
> > working under
> > > Tomcat 3.2.3 and am trying to create a more independent security
model.
> > This
> > > model also works well for me because I use the command line url
> > format for
> > > mapping to my action classes and none of my views are available but
> > through
> > > action classes (except index.jsp).
> > >
> > > I would be happy to share my code if anyone is interested. I think it
is
> > > flexible enough that it could be incorporated into an ldap
> > system. I have
> > > been confeing with a colleague who is working on struts interacting
with
> > > ldap for security and profile management.
> > >
> > > Anyways if you like the idea of security being managed from the action
> > class
> > > and don't expose your views but through action mappings. This might be
a
> > > good solution
> > >
> > > Brandon Goodin
> > > Phase Web and Multimedia
> > > P (406) 862-2245
> > > F (406) 862-0354
> > > [EMAIL PROTECTED]
> > > http://www.phase.ws
> > >
> > >
> > > -Original Message-
> > > From: craigmcc@localhost

Single Signon (was role based actions)

2001-12-31 Thread Sandra Cann


Batien et al,

I wonder if members of this list would be interested in collaborating with
the Expresso community on single sign-on features via our opensource
listserv or the Expresso Users Forum (Single Sign-on topic).

The following document url is a summation of a detailed discussion on single
sign on from our open source listserv which you might find interesting since
Expresso utilizes Struts. (There is also a link to the open source archives
on the home page.)

http://www.jcorporate.com/econtent/Content.do?state=resource&resource=615
(you will need to be registered at www.jcorporate.com and login to view).

cheers
Sandra

> -Original Message-
> From: Dr. BaTien Duong [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 11, 2001 7:53 PM
> To: Struts Developers List
> Subject: Re: role based actions
>
>
> Brandon:
>
> I am interested in your code as we are working on Struts, ldap, and Java
> single SignOn technology.
>
> [EMAIL PROTECTED]
>
> - Original Message -
> From: "Phase Communcations" <[EMAIL PROTECTED]>
> To: "Struts Developers List" <[EMAIL PROTECTED]>
> Sent: Tuesday, December 11, 2001 4:43 PM
> Subject: RE: role based actions
>
>
> > One last thing. When a security check happens and the user is
> forwarded to
> > the login. Their desired destination is stored and once their
> security is
> > verified they are forwarded on to that page.
> >
> > -Original Message-
> > From: Phase Communcations [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, December 11, 2001 4:40 PM
> > To: Struts Developers List
> > Subject: RE: role based actions
> >
> >
> > In my code I extended the action class (not the action servlet) and
> required
> > that group access be established on a per extended action class basis.
> >
> > Defined within my struts-config file in my action class
> definitions I use
> an
> > extra attribute(s):
> >
> > 
> >
> > There is a security check within the extended action class that uses an
> > extended ActionMapping to retrieve the "group" property and checks it
> > against the users information (in a database). If the user
> belongs to the
> > proper group or one of the groups defined then it allows them access to
> that
> > action/area with their assigned role and permissions. If the security
> check
> > fails, they are routed to a login page.
> >
> > The other thing that it does is it stores role and permission
> information
> in
> > a bean so that security information can be used to define the view as
> well.
> >
> > I opted out of the container managed security because I was
> working under
> > Tomcat 3.2.3 and am trying to create a more independent security model.
> This
> > model also works well for me because I use the command line url
> format for
> > mapping to my action classes and none of my views are available but
> through
> > action classes (except index.jsp).
> >
> > I would be happy to share my code if anyone is interested. I think it is
> > flexible enough that it could be incorporated into an ldap
> system. I have
> > been confeing with a colleague who is working on struts interacting with
> > ldap for security and profile management.
> >
> > Anyways if you like the idea of security being managed from the action
> class
> > and don't expose your views but through action mappings. This might be a
> > good solution
> >
> > Brandon Goodin
> > Phase Web and Multimedia
> > P (406) 862-2245
> > F (406) 862-0354
> > [EMAIL PROTECTED]
> > http://www.phase.ws
> >
> >
> > -Original Message-
> > From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
> > R. McClanahan
> > Sent: Tuesday, December 11, 2001 10:16 AM
> > To: Struts Developers List
> > Subject: Re: role based actions
> >
> >
> >
> >
> > On Tue, 11 Dec 2001 [EMAIL PROTECTED] wrote:
> >
> > > Date: Tue, 11 Dec 2001 10:27:52 -0500
> > > From: [EMAIL PROTECTED]
> > > Reply-To: Struts Developers List <[EMAIL PROTECTED]>
> > > To: [EMAIL PROTECTED]
> > > Subject: role based actions
> > >
> > >
> > > I am a struts "newbie" so I apologize in advance if this topic has
> already
> > > beaten to death...
> > >
> > >  ~~~
> > >
> > > I noticed role-based actions on the pending tasks list.
> >
> > Adding this (and a few of the other recent enhancements) to
> Struts 1.1 is
> > de

RE: role based actions

2001-12-12 Thread Phase Communcations


That's good advice. Thanks. I currently am "required" to run Tomcat 3.2.3 so
I decided to go the "hack path" and include my security in struts and hide
all my views(jsp) behind command style urls (no *.do). Yet my code is
flexible enough to take advantage of the container managed security when I
move up to tomcat 4.0 (servlet 2.3/jsp 1.2). Thanks for your direction.

Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
[EMAIL PROTECTED]
http://www.phase.ws


-Original Message-
From: Taylor Cowan [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 12, 2001 7:18 AM
To: Struts Developers List
Subject: RE: role based actions


Struts is a J2EE add on, thus it should only be aware of J2EE concepts like
"roles".
J2EE provides security through the app server, and the concrete security
scheme may be ldap, jdbc, or other means.  Struts doesn't need security, it
just makes use of J2EE security.  I was just looking over Tomcat and it can
be configured to use LDAP.  Most other app servers should provide that as
well.

If you really do need to implement your own security, it would be better to
add this at the app server level, not struts.

Taylor

-Original Message-
From: Phase Communcations [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 12, 2001 9:54 AM
To: Struts Developers List
Subject: RE: role based actions


The ldap portion is under development. It will be a bit. My code is a struts
centric security at this point. I am experimenting with extending it to
support ldap. I can still show you the code for the security if you would
like.

Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
[EMAIL PROTECTED]
http://www.phase.ws


-Original Message-
From: Dr. BaTien Duong [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 11, 2001 5:53 PM
To: Struts Developers List
Subject: Re: role based actions


Brandon:

I am interested in your code as we are working on Struts, ldap, and Java
single SignOn technology.

[EMAIL PROTECTED]

- Original Message -
From: "Phase Communcations" <[EMAIL PROTECTED]>
To: "Struts Developers List" <[EMAIL PROTECTED]>
Sent: Tuesday, December 11, 2001 4:43 PM
Subject: RE: role based actions


> One last thing. When a security check happens and the user is forwarded to
> the login. Their desired destination is stored and once their security is
> verified they are forwarded on to that page.
>
> -Original Message-
> From: Phase Communcations [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 11, 2001 4:40 PM
> To: Struts Developers List
> Subject: RE: role based actions
>
>
> In my code I extended the action class (not the action servlet) and
required
> that group access be established on a per extended action class basis.
>
> Defined within my struts-config file in my action class definitions I use
an
> extra attribute(s):
>
> 
>
> There is a security check within the extended action class that uses an
> extended ActionMapping to retrieve the "group" property and checks it
> against the users information (in a database). If the user belongs to the
> proper group or one of the groups defined then it allows them access to
that
> action/area with their assigned role and permissions. If the security
check
> fails, they are routed to a login page.
>
> The other thing that it does is it stores role and permission information
in
> a bean so that security information can be used to define the view as
well.
>
> I opted out of the container managed security because I was working under
> Tomcat 3.2.3 and am trying to create a more independent security model.
This
> model also works well for me because I use the command line url format for
> mapping to my action classes and none of my views are available but
through
> action classes (except index.jsp).
>
> I would be happy to share my code if anyone is interested. I think it is
> flexible enough that it could be incorporated into an ldap system. I have
> been confeing with a colleague who is working on struts interacting with
> ldap for security and profile management.
>
> Anyways if you like the idea of security being managed from the action
class
> and don't expose your views but through action mappings. This might be a
> good solution
>
> Brandon Goodin
> Phase Web and Multimedia
> P (406) 862-2245
> F (406) 862-0354
> [EMAIL PROTECTED]
> http://www.phase.ws
>
>
> -Original Message-
> From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
> R. McClanahan
> Sent: Tuesday, December 11, 2001 10:16 AM
> To: Struts Developers List
> Subject: Re: role based actions
>
>
>
>
> On Tue, 11 Dec 2001 [EMAIL PROTECTED] wrote:
>
> > Date: Tue, 11 Dec 2001 10:27:52 -0500
> &

RE: role based actions

2001-12-12 Thread Taylor Cowan


Struts is a J2EE add on, thus it should only be aware of J2EE concepts like
"roles".
J2EE provides security through the app server, and the concrete security
scheme may be ldap, jdbc, or other means.  Struts doesn't need security, it
just makes use of J2EE security.  I was just looking over Tomcat and it can
be configured to use LDAP.  Most other app servers should provide that as
well.

If you really do need to implement your own security, it would be better to
add this at the app server level, not struts.

Taylor

-Original Message-
From: Phase Communcations [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 12, 2001 9:54 AM
To: Struts Developers List
Subject: RE: role based actions


The ldap portion is under development. It will be a bit. My code is a struts
centric security at this point. I am experimenting with extending it to
support ldap. I can still show you the code for the security if you would
like.

Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
[EMAIL PROTECTED]
http://www.phase.ws


-Original Message-
From: Dr. BaTien Duong [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 11, 2001 5:53 PM
To: Struts Developers List
Subject: Re: role based actions


Brandon:

I am interested in your code as we are working on Struts, ldap, and Java
single SignOn technology.

[EMAIL PROTECTED]

- Original Message -
From: "Phase Communcations" <[EMAIL PROTECTED]>
To: "Struts Developers List" <[EMAIL PROTECTED]>
Sent: Tuesday, December 11, 2001 4:43 PM
Subject: RE: role based actions


> One last thing. When a security check happens and the user is forwarded to
> the login. Their desired destination is stored and once their security is
> verified they are forwarded on to that page.
>
> -Original Message-
> From: Phase Communcations [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 11, 2001 4:40 PM
> To: Struts Developers List
> Subject: RE: role based actions
>
>
> In my code I extended the action class (not the action servlet) and
required
> that group access be established on a per extended action class basis.
>
> Defined within my struts-config file in my action class definitions I use
an
> extra attribute(s):
>
> 
>
> There is a security check within the extended action class that uses an
> extended ActionMapping to retrieve the "group" property and checks it
> against the users information (in a database). If the user belongs to the
> proper group or one of the groups defined then it allows them access to
that
> action/area with their assigned role and permissions. If the security
check
> fails, they are routed to a login page.
>
> The other thing that it does is it stores role and permission information
in
> a bean so that security information can be used to define the view as
well.
>
> I opted out of the container managed security because I was working under
> Tomcat 3.2.3 and am trying to create a more independent security model.
This
> model also works well for me because I use the command line url format for
> mapping to my action classes and none of my views are available but
through
> action classes (except index.jsp).
>
> I would be happy to share my code if anyone is interested. I think it is
> flexible enough that it could be incorporated into an ldap system. I have
> been confeing with a colleague who is working on struts interacting with
> ldap for security and profile management.
>
> Anyways if you like the idea of security being managed from the action
class
> and don't expose your views but through action mappings. This might be a
> good solution
>
> Brandon Goodin
> Phase Web and Multimedia
> P (406) 862-2245
> F (406) 862-0354
> [EMAIL PROTECTED]
> http://www.phase.ws
>
>
> -Original Message-
> From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
> R. McClanahan
> Sent: Tuesday, December 11, 2001 10:16 AM
> To: Struts Developers List
> Subject: Re: role based actions
>
>
>
>
> On Tue, 11 Dec 2001 [EMAIL PROTECTED] wrote:
>
> > Date: Tue, 11 Dec 2001 10:27:52 -0500
> > From: [EMAIL PROTECTED]
> > Reply-To: Struts Developers List <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: role based actions
> >
> >
> > I am a struts "newbie" so I apologize in advance if this topic has
already
> > beaten to death...
> >
> >  ~~~
> >
> > I noticed role-based actions on the pending tasks list.
>
> Adding this (and a few of the other recent enhancements) to Struts 1.1 is
> definitely on *my* list.  I will have some time to do so between Christmas
> and New Years.
>
> Craig McClanahan
>
> >
> > Can anyone comment o

RE: role based actions

2001-12-12 Thread Phase Communcations


The ldap portion is under development. It will be a bit. My code is a struts
centric security at this point. I am experimenting with extending it to
support ldap. I can still show you the code for the security if you would
like.

Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
[EMAIL PROTECTED]
http://www.phase.ws


-Original Message-
From: Dr. BaTien Duong [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 11, 2001 5:53 PM
To: Struts Developers List
Subject: Re: role based actions


Brandon:

I am interested in your code as we are working on Struts, ldap, and Java
single SignOn technology.

[EMAIL PROTECTED]

- Original Message -
From: "Phase Communcations" <[EMAIL PROTECTED]>
To: "Struts Developers List" <[EMAIL PROTECTED]>
Sent: Tuesday, December 11, 2001 4:43 PM
Subject: RE: role based actions


> One last thing. When a security check happens and the user is forwarded to
> the login. Their desired destination is stored and once their security is
> verified they are forwarded on to that page.
>
> -Original Message-
> From: Phase Communcations [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 11, 2001 4:40 PM
> To: Struts Developers List
> Subject: RE: role based actions
>
>
> In my code I extended the action class (not the action servlet) and
required
> that group access be established on a per extended action class basis.
>
> Defined within my struts-config file in my action class definitions I use
an
> extra attribute(s):
>
> 
>
> There is a security check within the extended action class that uses an
> extended ActionMapping to retrieve the "group" property and checks it
> against the users information (in a database). If the user belongs to the
> proper group or one of the groups defined then it allows them access to
that
> action/area with their assigned role and permissions. If the security
check
> fails, they are routed to a login page.
>
> The other thing that it does is it stores role and permission information
in
> a bean so that security information can be used to define the view as
well.
>
> I opted out of the container managed security because I was working under
> Tomcat 3.2.3 and am trying to create a more independent security model.
This
> model also works well for me because I use the command line url format for
> mapping to my action classes and none of my views are available but
through
> action classes (except index.jsp).
>
> I would be happy to share my code if anyone is interested. I think it is
> flexible enough that it could be incorporated into an ldap system. I have
> been confeing with a colleague who is working on struts interacting with
> ldap for security and profile management.
>
> Anyways if you like the idea of security being managed from the action
class
> and don't expose your views but through action mappings. This might be a
> good solution
>
> Brandon Goodin
> Phase Web and Multimedia
> P (406) 862-2245
> F (406) 862-0354
> [EMAIL PROTECTED]
> http://www.phase.ws
>
>
> -----Original Message-
> From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
> R. McClanahan
> Sent: Tuesday, December 11, 2001 10:16 AM
> To: Struts Developers List
> Subject: Re: role based actions
>
>
>
>
> On Tue, 11 Dec 2001 [EMAIL PROTECTED] wrote:
>
> > Date: Tue, 11 Dec 2001 10:27:52 -0500
> > From: [EMAIL PROTECTED]
> > Reply-To: Struts Developers List <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: role based actions
> >
> >
> > I am a struts "newbie" so I apologize in advance if this topic has
already
> > beaten to death...
> >
> >  ~~~
> >
> > I noticed role-based actions on the pending tasks list.
>
> Adding this (and a few of the other recent enhancements) to Struts 1.1 is
> definitely on *my* list.  I will have some time to do so between Christmas
> and New Years.
>
> Craig McClanahan
>
> >
> > Can anyone comment on the status and scope of this effort? (link was a
> dead
> > end)
> >
> > The description points to role being driven by security, seems the role
> will
> > be detected and then dispatches to the proper action? points to assoc'd
> form
> > through config?
> >
> > Is this intended to be used for personalization to the extent where a
> person
> > of one role gets a different view, can user customize their view?
> >
> > Does this provide a place holder for that kind of functionality v. any
> > particular "built in" functionality?
> >
> > Thanks, sorry if the questions were a little obtuse.
> >
> &g

RE: role based actions

2001-12-11 Thread Craig R. McClanahan

On Tue, 11 Dec 2001, Phase Communcations wrote:

> Date: Tue, 11 Dec 2001 16:43:47 -0700
> From: Phase Communcations <[EMAIL PROTECTED]>
> Reply-To: Struts Developers List <[EMAIL PROTECTED]>
> To: Struts Developers List <[EMAIL PROTECTED]>
> Subject: RE: role based actions
>
> One last thing. When a security check happens and the user is forwarded to
> the login. Their desired destination is stored and once their security is
> verified they are forwarded on to that page.
>

IMHO, doing an "application managed login" mechanism is somewhat different
than "role based actions".  In the latter case, we're simply using the
existing container managed security mechanism (i.e. form-based login, or
BASIC, or whatever you choose) to authenticate the user, and then calling
isUserInRole() to see if they can get to the requested action.  In this
environment, the only interesting decision is "what happens if the user
does not have the required role".   (I vote for throwing a 403 "Forbidden"
error, which is exactly what the container would do if you used a security
constraint -- and the app can override the look and feel by declaring an
error page.)

We can also look at building a scheme for an app to manage it's own login,
but that is one of the things that is *much* easier to support using the
Filter API from Servlet 2.3.

Craig

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: role based actions

2001-12-11 Thread Dr. BaTien Duong


Brandon:

I am interested in your code as we are working on Struts, ldap, and Java
single SignOn technology.

[EMAIL PROTECTED]

- Original Message -
From: "Phase Communcations" <[EMAIL PROTECTED]>
To: "Struts Developers List" <[EMAIL PROTECTED]>
Sent: Tuesday, December 11, 2001 4:43 PM
Subject: RE: role based actions


> One last thing. When a security check happens and the user is forwarded to
> the login. Their desired destination is stored and once their security is
> verified they are forwarded on to that page.
>
> -Original Message-
> From: Phase Communcations [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 11, 2001 4:40 PM
> To: Struts Developers List
> Subject: RE: role based actions
>
>
> In my code I extended the action class (not the action servlet) and
required
> that group access be established on a per extended action class basis.
>
> Defined within my struts-config file in my action class definitions I use
an
> extra attribute(s):
>
> 
>
> There is a security check within the extended action class that uses an
> extended ActionMapping to retrieve the "group" property and checks it
> against the users information (in a database). If the user belongs to the
> proper group or one of the groups defined then it allows them access to
that
> action/area with their assigned role and permissions. If the security
check
> fails, they are routed to a login page.
>
> The other thing that it does is it stores role and permission information
in
> a bean so that security information can be used to define the view as
well.
>
> I opted out of the container managed security because I was working under
> Tomcat 3.2.3 and am trying to create a more independent security model.
This
> model also works well for me because I use the command line url format for
> mapping to my action classes and none of my views are available but
through
> action classes (except index.jsp).
>
> I would be happy to share my code if anyone is interested. I think it is
> flexible enough that it could be incorporated into an ldap system. I have
> been confeing with a colleague who is working on struts interacting with
> ldap for security and profile management.
>
> Anyways if you like the idea of security being managed from the action
class
> and don't expose your views but through action mappings. This might be a
> good solution
>
> Brandon Goodin
> Phase Web and Multimedia
> P (406) 862-2245
> F (406) 862-0354
> [EMAIL PROTECTED]
> http://www.phase.ws
>
>
> -----Original Message-
> From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
> R. McClanahan
> Sent: Tuesday, December 11, 2001 10:16 AM
> To: Struts Developers List
> Subject: Re: role based actions
>
>
>
>
> On Tue, 11 Dec 2001 [EMAIL PROTECTED] wrote:
>
> > Date: Tue, 11 Dec 2001 10:27:52 -0500
> > From: [EMAIL PROTECTED]
> > Reply-To: Struts Developers List <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: role based actions
> >
> >
> > I am a struts "newbie" so I apologize in advance if this topic has
already
> > beaten to death...
> >
> >  ~~~
> >
> > I noticed role-based actions on the pending tasks list.
>
> Adding this (and a few of the other recent enhancements) to Struts 1.1 is
> definitely on *my* list.  I will have some time to do so between Christmas
> and New Years.
>
> Craig McClanahan
>
> >
> > Can anyone comment on the status and scope of this effort? (link was a
> dead
> > end)
> >
> > The description points to role being driven by security, seems the role
> will
> > be detected and then dispatches to the proper action? points to assoc'd
> form
> > through config?
> >
> > Is this intended to be used for personalization to the extent where a
> person
> > of one role gets a different view, can user customize their view?
> >
> > Does this provide a place holder for that kind of functionality v. any
> > particular "built in" functionality?
> >
> > Thanks, sorry if the questions were a little obtuse.
> >
> > -Rick Vaillancourt
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: role based actions

2001-12-11 Thread Phase Communcations

One last thing. When a security check happens and the user is forwarded to
the login. Their desired destination is stored and once their security is
verified they are forwarded on to that page.

-Original Message-
From: Phase Communcations [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 11, 2001 4:40 PM
To: Struts Developers List
Subject: RE: role based actions

In my code I extended the action class (not the action servlet) and required
that group access be established on a per extended action class basis.

Defined within my struts-config file in my action class definitions I use an
extra attribute(s):

There is a security check within the extended action class that uses an
extended ActionMapping to retrieve the "group" property and checks it
against the users information (in a database). If the user belongs to the
proper group or one of the groups defined then it allows them access to that
action/area with their assigned role and permissions. If the security check
fails, they are routed to a login page.

The other thing that it does is it stores role and permission information in
a bean so that security information can be used to define the view as well.

I opted out of the container managed security because I was working under
Tomcat 3.2.3 and am trying to create a more independent security model. This
model also works well for me because I use the command line url format for
mapping to my action classes and none of my views are available but through
action classes (except index.jsp).

I would be happy to share my code if anyone is interested. I think it is
flexible enough that it could be incorporated into an ldap system. I have
been confeing with a colleague who is working on struts interacting with
ldap for security and profile management.

Anyways if you like the idea of security being managed from the action class
and don't expose your views but through action mappings. This might be a
good solution

Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
[EMAIL PROTECTED]
http://www.phase.ws

-Original Message-
From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
R. McClanahan
Sent: Tuesday, December 11, 2001 10:16 AM
To: Struts Developers List
Subject: Re: role based actions

On Tue, 11 Dec 2001 [EMAIL PROTECTED] wrote:

> Date: Tue, 11 Dec 2001 10:27:52 -0500
> From: [EMAIL PROTECTED]
> Reply-To: Struts Developers List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: role based actions
>
>
> I am a struts "newbie" so I apologize in advance if this topic has already
> beaten to death...
>
>  ~~~
>
> I noticed role-based actions on the pending tasks list.

Adding this (and a few of the other recent enhancements) to Struts 1.1 is
definitely on *my* list.  I will have some time to do so between Christmas
and New Years.

Craig McClanahan

>
> Can anyone comment on the status and scope of this effort? (link was a
dead
> end)
>
> The description points to role being driven by security, seems the role
will
> be detected and then dispatches to the proper action? points to assoc'd
form
> through config?
>
> Is this intended to be used for personalization to the extent where a
person
> of one role gets a different view, can user customize their view?
>
> Does this provide a place holder for that kind of functionality v. any
> particular "built in" functionality?
>
> Thanks, sorry if the questions were a little obtuse.
>
> -Rick Vaillancourt
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: role based actions

2001-12-11 Thread Phase Communcations

In my code I extended the action class (not the action servlet) and required
that group access be established on a per extended action class basis.

Defined within my struts-config file in my action class definitions I use an
extra attribute(s):

There is a security check within the extended action class that uses an
extended ActionMapping to retrieve the "group" property and checks it
against the users information (in a database). If the user belongs to the
proper group or one of the groups defined then it allows them access to that
action/area with their assigned role and permissions. If the security check
fails, they are routed to a login page.

The other thing that it does is it stores role and permission information in
a bean so that security information can be used to define the view as well.

I opted out of the container managed security because I was working under
Tomcat 3.2.3 and am trying to create a more independent security model. This
model also works well for me because I use the command line url format for
mapping to my action classes and none of my views are available but through
action classes (except index.jsp).

I would be happy to share my code if anyone is interested. I think it is
flexible enough that it could be incorporated into an ldap system. I have
been confeing with a colleague who is working on struts interacting with
ldap for security and profile management.

Anyways if you like the idea of security being managed from the action class
and don't expose your views but through action mappings. This might be a
good solution

Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
[EMAIL PROTECTED]
http://www.phase.ws

-Original Message-
From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
R. McClanahan
Sent: Tuesday, December 11, 2001 10:16 AM
To: Struts Developers List
Subject: Re: role based actions

On Tue, 11 Dec 2001 [EMAIL PROTECTED] wrote:

> Date: Tue, 11 Dec 2001 10:27:52 -0500
> From: [EMAIL PROTECTED]
> Reply-To: Struts Developers List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: role based actions
>
>
> I am a struts "newbie" so I apologize in advance if this topic has already
> beaten to death...
>
>  ~~~
>
> I noticed role-based actions on the pending tasks list.

Adding this (and a few of the other recent enhancements) to Struts 1.1 is
definitely on *my* list.  I will have some time to do so between Christmas
and New Years.

Craig McClanahan

>
> Can anyone comment on the status and scope of this effort? (link was a
dead
> end)
>
> The description points to role being driven by security, seems the role
will
> be detected and then dispatches to the proper action? points to assoc'd
form
> through config?
>
> Is this intended to be used for personalization to the extent where a
person
> of one role gets a different view, can user customize their view?
>
> Does this provide a place holder for that kind of functionality v. any
> particular "built in" functionality?
>
> Thanks, sorry if the questions were a little obtuse.
>
> -Rick Vaillancourt
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: role based actions

2001-12-11 Thread Cakalic, James

I'm moderately interested as I'm presently defining that part of the
architecture for a new development that is just getting underway.

Jim

> -Original Message-
> From: Andy Noble [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 11, 2001 1:31 PM
> To: Struts Developers List
> Subject: Re: role based actions
> 
> 
> I'm using Nic Hobb's extension, although I rewrote his 
> ActionSecurity class
> to support application managed security instead of container 
> managed. I also
> created my own security tag to replace the  roles=".."> tag
> 
> If anyone's interested in the code, let me know.
> 
> Andy
> - Original Message -
> From: Ted Husted <[EMAIL PROTECTED]>
> To: Struts Developers List <[EMAIL PROTECTED]>
> Sent: Tuesday, December 11, 2001 6:44 PM
> Subject: Re: role based actions
> 
> 
> > Craig, have you looked at Nic Hobb's extension?
> >
> > http://husted.com/struts/resources/struts-security.htm
> >
> > There's a place on my agenda where I was going to try it myself, but
> > still haven't gotten there.
> >
> > -Ted.
> >
> > "Craig R. McClanahan" wrote:
> > > Adding this (and a few of the other recent enhancements) 
> to Struts 1.1
> is
> > > definitely on *my* list.  I will have some time to do so between
> Christmas
> > > and New Years.
> > >
> > > Craig McClanahan
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
> 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED]>
> 

Confidentiality Warning:  This e-mail contains information intended 
only for the use of the individual or entity named above.  If the reader of this 
e-mail is not the intended recipient or the employee or agent responsible for 
delivering it to the intended recipient, any dissemination, publication or copying of 
this e-mail is strictly prohibited. The sender does not accept any responsibility for 
any loss, disruption or damage to your data or computer system that may occur while 
using data contained in, or transmitted with, this e-mail.   If you have received this 
e-mail in error, please immediately notify us by return e-mail.  Thank you.

RE: role based actions

2001-12-11 Thread Cakalic, James

A complementary posting appeared a while back in the struts-user mail list
from Matt Raible at icsynergy.
(http://www.mail-archive.com/struts-user@jakarta.apache.org/msg18543.html)
He says he has been using the security extension with only one minor change;
instead of returning SC_BAD_REQUEST when the user's role does not meet the
declared roles for the action, it returns SC_FORBIDDEN.

Best regards,
Jim Cakalic

> -Original Message-
> From: Ted Husted [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 11, 2001 12:45 PM
> To: Struts Developers List
> Subject: Re: role based actions
> 
> 
> Craig, have you looked at Nic Hobb's extension?
> 
> http://husted.com/struts/resources/struts-security.htm
> 
> There's a place on my agenda where I was going to try it myself, but
> still haven't gotten there. 
> 
> -Ted.
> 
> "Craig R. McClanahan" wrote:
> > Adding this (and a few of the other recent enhancements) to 
> Struts 1.1 is
> > definitely on *my* list.  I will have some time to do so 
> between Christmas
> > and New Years.
> > 
> > Craig McClanahan
> 
> --
> To unsubscribe, e-mail:   
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED]>
> 

Confidentiality Warning:  This e-mail contains information intended 
only for the use of the individual or entity named above.  If the reader of this 
e-mail is not the intended recipient or the employee or agent responsible for 
delivering it to the intended recipient, any dissemination, publication or copying of 
this e-mail is strictly prohibited. The sender does not accept any responsibility for 
any loss, disruption or damage to your data or computer system that may occur while 
using data contained in, or transmitted with, this e-mail.   If you have received this 
e-mail in error, please immediately notify us by return e-mail.  Thank you.

Re: role based actions

2001-12-11 Thread Ted Husted


Craig, have you looked at Nic Hobb's extension?

http://husted.com/struts/resources/struts-security.htm

There's a place on my agenda where I was going to try it myself, but
still haven't gotten there. 

-Ted.

"Craig R. McClanahan" wrote:
> Adding this (and a few of the other recent enhancements) to Struts 1.1 is
> definitely on *my* list.  I will have some time to do so between Christmas
> and New Years.
> 
> Craig McClanahan

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: role based actions

2001-12-11 Thread Phase Communcations


I have some code that I use for security stuff that uses GROUPS, ROLES,
USER, PERMISSIONS. It can all be managed dynamically without having to
reboot struts. The only thing you do is add the group access permission to
the action declaration in the struts-config.xml file. Once the group access
is determined the users role and permissions are drawn from the database,
stored in a bean and used to customize the view.

Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
[EMAIL PROTECTED]
http://www.phase.ws


-Original Message-
From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
R. McClanahan
Sent: Tuesday, December 11, 2001 10:16 AM
To: Struts Developers List
Subject: Re: role based actions




On Tue, 11 Dec 2001 [EMAIL PROTECTED] wrote:

> Date: Tue, 11 Dec 2001 10:27:52 -0500
> From: [EMAIL PROTECTED]
> Reply-To: Struts Developers List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: role based actions
>
>
> I am a struts "newbie" so I apologize in advance if this topic has already
> beaten to death...
>
>  ~~~
>
> I noticed role-based actions on the pending tasks list.

Adding this (and a few of the other recent enhancements) to Struts 1.1 is
definitely on *my* list.  I will have some time to do so between Christmas
and New Years.

Craig McClanahan

>
> Can anyone comment on the status and scope of this effort? (link was a
dead
> end)
>
> The description points to role being driven by security, seems the role
will
> be detected and then dispatches to the proper action? points to assoc'd
form
> through config?
>
> Is this intended to be used for personalization to the extent where a
person
> of one role gets a different view, can user customize their view?
>
> Does this provide a place holder for that kind of functionality v. any
> particular "built in" functionality?
>
> Thanks, sorry if the questions were a little obtuse.
>
> -Rick Vaillancourt
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: role based actions

2001-12-11 Thread Craig R. McClanahan




On Tue, 11 Dec 2001 [EMAIL PROTECTED] wrote:

> Date: Tue, 11 Dec 2001 10:27:52 -0500
> From: [EMAIL PROTECTED]
> Reply-To: Struts Developers List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: role based actions
>
>
> I am a struts "newbie" so I apologize in advance if this topic has already
> beaten to death...
>
>  ~~~
>
> I noticed role-based actions on the pending tasks list.

Adding this (and a few of the other recent enhancements) to Struts 1.1 is
definitely on *my* list.  I will have some time to do so between Christmas
and New Years.

Craig McClanahan

>
> Can anyone comment on the status and scope of this effort? (link was a dead
> end)
>
> The description points to role being driven by security, seems the role will
> be detected and then dispatches to the proper action? points to assoc'd form
> through config?
>
> Is this intended to be used for personalization to the extent where a person
> of one role gets a different view, can user customize their view?
>
> Does this provide a place holder for that kind of functionality v. any
> particular "built in" functionality?
>
> Thanks, sorry if the questions were a little obtuse.
>
> -Rick Vaillancourt
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

role based actions

2001-12-11 Thread Richard . Vaillancourt



I am a struts "newbie" so I apologize in advance if this topic has already
beaten to death...

 ~~~

I noticed role-based actions on the pending tasks list.

Can anyone comment on the status and scope of this effort? (link was a dead
end)

The description points to role being driven by security, seems the role will
be detected and then dispatches to the proper action? points to assoc'd form
through config?

Is this intended to be used for personalization to the extent where a person
of one role gets a different view, can user customize their view?

Does this provide a place holder for that kind of functionality v. any
particular "built in" functionality?

Thanks, sorry if the questions were a little obtuse.

-Rick Vaillancourt


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Role-Based Actions

2001-10-25 Thread Deadman, Hal



> If this is added, I'm willing to modify the struts-example to use roles
and
> form-based authentication.  I figured out a trick last week (using
javascript
> and cookies) to show the user loginForm again on the form-error page and
allow
> them to login from there.  I can add this to the sample that I'll create.


Why do you need javascript and cookies to redisplay the login page on the
form-error-page? I just call the same action for both form-login-page and
form-error-page. The action forwards to a login jsp and uses a url parameter
to determine whether or not to display an error message to the user.  Maybe
I don't understand what you are doing?


FORM
rdbmsRealm

/login.do?type=attempt
/login.do?type=failed

Role-Based Actions

2001-10-24 Thread Matt Raible


Are there any plans to add Nic Hobb's role-based security stuff to 1.1-dev? 
http://husted.com/struts/resources/struts-security.htm

I have used it in my current project, and it's working quite well.  Basically,
you just have to add a "roles" attribute to your action-mapping, and then it
your action with throw a 403_UNAUTHORIZED if the user is not in the particular
role.  Once addition that might be nice is to have a "notRoles" or
"disallowedRoles" attribute that prevents certain roles - similar to
 and .

If this is added, I'm willing to modify the struts-example to use roles and
form-based authentication.  I figured out a trick last week (using javascript
and cookies) to show the user loginForm again on the form-error page and allow
them to login from there.  I can add this to the sample that I'll create.

Or is that process that I should add this to the Nightly build, create the
example, sumbit as a patch and then it gets voted on?

My vote is +1 for now.

Please let me know,

Matt





__
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

Re: Single Signon (was role based actions)

Single Signon (was role based actions)

RE: role based actions

RE: role based actions

RE: role based actions

RE: role based actions

Re: role based actions

RE: role based actions

RE: role based actions

RE: role based actions

RE: role based actions

Re: role based actions

RE: role based actions

Re: role based actions

role based actions

RE: Role-Based Actions

Role-Based Actions

17 matches

Site Navigation

Mail list logo

Footer information