Re: Authentication and Authorisation Newbie
Brian, You may want to look at other options. For example, although WLS 8.1 supports JAAS, they enourage the use of their entitlements system through their security SPI. You should check out JSR 115. Also, this is not a bad article: http://www.javaworld.com/javaworld/jw-09-2002/jw-0913-jaas.html I've been through similar experience as Mike below and found it confusing. For WLS 6.1 we need to extended JAAS as it wasn't completely support - no authorization - and so wrote some JAAS extensions to support an (Role Based Authorization) RBAC model. We're just working on designs now to see if we can deprecate in light of BEA's extensive security support with WLS 8.1. Hope that helps, Wayne Lund Accenture Global Architecture and Core Technologies, Seattle [EMAIL PROTECTED] (p:) 206.839.2169 (c:) 206 849-6867 (o:) 239/2168 "Brian McSweeney" <[EMAIL PROTECTED]> 04/04/2003 07:16 AM Please respond to "Struts Users Mailing List" To: "Struts Users Mailing List" <[EMAIL PROTECTED]> cc: Subject:Re: Authentication and Authorisation Newbie incredibly nice of you Mike. Thanks so much, I'll read it over the weekend and mail you next week if I have problems. But before I start, once you understand JAAS, is it the right way to go in terms of authentication and authorisation? Is it worth the trouble I mean. thanks so much, Brian - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 04, 2003 4:00 PM Subject: RE: Authentication and Authorisation Newbie > Let me tell you.Learning JAAS sucks. > But, now that I have spent 2 months learning it, I will tell you... > First, read the JavaWorld.com document on JBossSX and JAAS. That is a start. But there are several things that confused the heck out of me. > http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html > > If, after reading that document, you have any questions, email me. > BTW, Are you going to use the DatabaseServerLoginModule? It is very easy. > Also, email me and I will send you the files I have as an example of using DatabaseServerLoginModule > > -Original Message- > From: Brian McSweeney [mailto:[EMAIL PROTECTED] > Sent: Friday, April 04, 2003 4:46 PM > To: Struts Users Mailing List > Subject: Authentication and Authorisation Newbie > > > Hi all, > > I'm using JBoss and EJBs and struts as my web app. > I've got some resources that are protected and for the > moment I've written a Filter which protects them. > > However this may not be the best way to do this. I'm > vaguely aware that J2EE can use JAAS and I can have > things like roles and principles and that these can > be propogated from the servlets to methods on the > session facade and that this is probably the right > way to go. > > However the limited bit of documentation that I've > read on this seems very non-standard and confusing. > > I'd like to know people's experience with this area and > any advice if possible. > > thanks very much, > Brian > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication and Authorisation Newbie
incredibly nice of you Mike. Thanks so much, I'll read it over the weekend and mail you next week if I have problems. But before I start, once you understand JAAS, is it the right way to go in terms of authentication and authorisation? Is it worth the trouble I mean. thanks so much, Brian - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 04, 2003 4:00 PM Subject: RE: Authentication and Authorisation Newbie > Let me tell you.Learning JAAS sucks. > But, now that I have spent 2 months learning it, I will tell you... > First, read the JavaWorld.com document on JBossSX and JAAS. That is a start. But there are several things that confused the heck out of me. > http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html > > If, after reading that document, you have any questions, email me. > BTW, Are you going to use the DatabaseServerLoginModule? It is very easy. > Also, email me and I will send you the files I have as an example of using DatabaseServerLoginModule > > -Original Message- > From: Brian McSweeney [mailto:[EMAIL PROTECTED] > Sent: Friday, April 04, 2003 4:46 PM > To: Struts Users Mailing List > Subject: Authentication and Authorisation Newbie > > > Hi all, > > I'm using JBoss and EJBs and struts as my web app. > I've got some resources that are protected and for the > moment I've written a Filter which protects them. > > However this may not be the best way to do this. I'm > vaguely aware that J2EE can use JAAS and I can have > things like roles and principles and that these can > be propogated from the servlets to methods on the > session facade and that this is probably the right > way to go. > > However the limited bit of documentation that I've > read on this seems very non-standard and confusing. > > I'd like to know people's experience with this area and > any advice if possible. > > thanks very much, > Brian > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication and Authorisation Newbie
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/basicportal/bP/WEB-INF/web.xml It at J2EE spec in web.xml, as above, with full working struts example source. .V Brian McSweeney wrote: Hi all, I'm using JBoss and EJBs and struts as my web app. I've got some resources that are protected and for the moment I've written a Filter which protects them. However this may not be the best way to do this. I'm vaguely aware that J2EE can use JAAS and I can have things like roles and principles and that these can be propogated from the servlets to methods on the session facade and that this is probably the right way to go. However the limited bit of documentation that I've read on this seems very non-standard and confusing. I'd like to know people's experience with this area and any advice if possible. thanks very much, Brian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication and Authorisation Newbie
Let me tell you.Learning JAAS sucks. But, now that I have spent 2 months learning it, I will tell you... First, read the JavaWorld.com document on JBossSX and JAAS. That is a start. But there are several things that confused the heck out of me. http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html If, after reading that document, you have any questions, email me. BTW, Are you going to use the DatabaseServerLoginModule? It is very easy. Also, email me and I will send you the files I have as an example of using DatabaseServerLoginModule -Original Message- From: Brian McSweeney [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 4:46 PM To: Struts Users Mailing List Subject: Authentication and Authorisation Newbie Hi all, I'm using JBoss and EJBs and struts as my web app. I've got some resources that are protected and for the moment I've written a Filter which protects them. However this may not be the best way to do this. I'm vaguely aware that J2EE can use JAAS and I can have things like roles and principles and that these can be propogated from the servlets to methods on the session facade and that this is probably the right way to go. However the limited bit of documentation that I've read on this seems very non-standard and confusing. I'd like to know people's experience with this area and any advice if possible. thanks very much, Brian Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]