Title: RE: Has anyone implemented security and authentication in a Struts app?
H.
those are some very good points. The situation i am faced with now (and
have been on a couple of occasions) is porting to MVC a content management
system that is steadily growing in complexity. I have to implement several roles
which will be assigned Create/Read/Update/Delete rights on various components,
eventually there will also be a set of workflow management permissions as well
(Authorize/Publish) probably attached to the data somehow. So my needs go a ways
beyond authentication as it is implemented in most web servers. The only
open-source projects I've seen that are really related are OpenSymphony's OSUser
which is far from functional, and Caucho's Quercus, which seems to be dependent
on Resin's JNDI services (although I haven't really dug into this code yet). I
am considering starting something based on JAAS and making it available when/if
it becomes workable. It would probably be pretty much geared towards struts to
begin with. If only i didn't have to sleep, then I'd have time for
this...
Thanks,
Mac
Ferguson
-Original Message-From: Brugge, John
[mailto:[EMAIL PROTECTED]]Sent: Monday, February 26, 2001 10:26
AMTo: '[EMAIL PROTECTED]'Subject: RE: Has
anyone implemented security and authentication in a Struts
app?
We are in the process of writing a
lightweight framework for role-based authorization because no other options
have panned out. I've searched for open-source solutions, but find none. As
David Geary said, it's not really rocket science, but to do it well and to
make it generalized for different situations gets harder quickly. That's why
there are companies that make a good living selling packages like Siteminder
and ClearTrust.
I'd also suggest thinking about
security in a slightly different way, by taking it out of the realm of the
application. Unless you've got very fine-grained access control requirements,
your application will be much more portable and maintainable if you let
someone/something else worry about "security." Containers are going to have
differing schemes until the end of time, but they are the second-best place to
define security (the best being even further removed, at the web server). For
one, security policies are often the realm of a group completely removed from
application development, and, if they're really serious about it, are very
uncomfortable with the thought of having security implemented within an
application - much harder to audit or verify its stoutness.
More importantly, unless you're at
the level of the container, or above, you can't protect any static pages that
might be part of your application, and you have to put explicit checks in each
of your JSPs - forget it in one JSP and your app is compromised.
All this is to say that if you're
writing a framework for your own app or organization and know what the ground
rules are going to be, it's not that hard. If you want one that's general and
covers lots of situations, that is harder work, and explains why there is slim
pickings (unless you've got the $$ to buy one.) Seems like a niche waiting to
be filled for the open source community
I hope that's not too much
soap-boxing. If you've got more specific questions, I'd be happy to offer some
more concrete ideas.
John Brugge Senior Specialist, e-Commerce Solutions Compuware Corporation Madison, Wisconsin 608-223-3800 [EMAIL PROTECTED]
-Original Message- From: Davina and Mac [SMTP:[EMAIL PROTECTED]] Sent: Sunday, February 25, 2001 11:16 AM To: [EMAIL PROTECTED] Subject: Has anyone implemented security and authentication in a
Struts app?
Has anybody out there implemented a roles-based
security system in a Struts application?
If so, did you use an existing class library or write your own?
It seems to me that relying on container
providers for security schemes makes it
almost impossible to write portable applications, and Struts/MVC,
with its single point of access and clearly
defined actions would be an ideal place
to implement security... thoughts
anyone?
Mac Ferguson
