Has anyone implemented security and authentication in a Struts app?
Has anybody out there implemented a roles-based security system in a Struts application? If so, did you use an existing class library or write your own? It seems to me that relying on container providers for security schemes makes it almost impossible to write portable applications, and Struts/MVC, with its single point of access and clearly defined actions would be an ideal place to implement security... thoughts anyone? Mac Ferguson
Re: Has anyone implemented security and authentication in a Struts app?
Davina and Mac wrote: Has anybody out there implemented a roles-based security system in a Struts application? If so, did you use an existing class library or write your own? It seems to me that relying on container providers for security schemes makes it almost impossible to write portable applications, and Struts/MVC, with its single point of access and clearly defined actions would be an ideal place to implement security... thoughts anyone? Relying on container provided authentication is, by definition, nonportable. So you are correct: It is impossible to write a portable application that relies on container provided authentication. On the other hand, it's not that hard to bypass servlet containers and write your own authentication. This is what the Struts example application does with a CheckLogon custom tag. david
Re: Has anyone implemented security and authentication in a Struts app?
role based security is part of servlet 2.2 specs. So, if you are using servlet 2.2 container the application will remain portable. Mihir Davina and Mac wrote: Has anybody out there implemented a roles-based security system in a Struts application? If so, did you use an existing class library or write your own? It seems to me that relying on container providers for security schemes makes it almost impossible to write portable applications, and Struts/MVC, with its single point of access and clearly defined actions would be an ideal place to implement security... thoughts anyone? Mac Ferguson
Re: Has anyone implemented security and authentication in a Struts app?
Mihir Parekh wrote: role based security is part of servlet 2.2 specs. That's true. So, if you are using servlet 2.2 container the application will remain portable. The servlet specification does not address how to specify users and roles; for example, Tomcat3.2 specifies them in $TOMCAT_HOME/conf/tomcat-users.xml, which you edit to suit your application. Resin, on the other hand doesn't have a XML file like Tomcat does, so you must write some code (by implementing an Authenticator) to specify users and roles. The bottom line is that you must specify users and roles in a nonportable way. It gets worse, from a portability standpoint, when you consider that the servlet specification does not provide setter methods for user principals and roles. That restriction means that only servlet containers can set user principals and roles. Most servlet containers provide an API to set them, but use of that API is obviously nonportable. The only way to ensure portability is to implement authentication from scratch, including support for user principals and roles, if you need them. Fortunately, it's not that difficult to do. david Mihir Davina and Mac wrote: Has anybody out there implemented a roles-based security system in a Struts application? If so, did you use an existing class library or write your own? It seems to me that relying on container providers for security schemes makes it almost impossible to write portable applications, and Struts/MVC, with its single point of access and clearly defined actions would be an ideal place to implement security... thoughts anyone? Mac Ferguson