RE: Declarative security constraints
Craig wrote: Have you tried a URL pattern like this? url-pattern/action1.do/url-pattern The syntax of URL patterns used in security constraints is exactly like that used in servlet mappings, and this would be an exact match pattern for path /action1 (assuming you are using the usual *.do mapping for the controller servlet). Well I thought I had, but obviously I hadn't, as it works fine. Thanks. -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: 13 June 2001 18:04 To: Struts-User@Jakarta. Apache. Org (E-mail) Subject: Re: Declarative security constraints On Wed, 13 Jun 2001, Geddes, Mark (ANTS) wrote: I am using the security-constraint tag in web.xml to protect access to my pages. I have been unable to use this method to restrict access to specific requests, say 'action1.do'. I assume this is because only the resources are protected (i.e. the actual JSPs). The upshot is that I am protecting the whole web-app using url-pattern/*/url-pattern. This is fine. It is an intranet site and it means that I can use request.isUserInRole() and request.getUserPrincipal() in the confidence that I know the user has been forced to authenticate themselves. The problem comes when I want to restrict certain actions based upon the user's role. In the perform() method of my Action class I have to use request.isUserInRole(). I would like to be able to do this declaratively rather than programmatically, either using the security-constraint declaration in web.xml, or possibly as part of the action declaration in struts-config.xml. Question1: Have I missed something obvious in my use of the security-constraint mechanism? Have you tried a URL pattern like this? url-pattern/action1.do/url-pattern The syntax of URL patterns used in security constraints is exactly like that used in servlet mappings, and this would be an exact match pattern for path /action1 (assuming you are using the usual *.do mapping for the controller servlet). Question2: If not, would this make a useful extension to the Struts framework? I've thought about the idea of incorporating role-based checking into the controller servlet itself, but it seems like a duplication of what you can already do in the container (such as the above). However, a place where it might be useful is if you have a scripted workflow of some sort, and certain steps would be executed or skipped based on the roles possessed by the authenticated user. Thanks in advance. Mark Craig McClanahan *** This email message contains confidential information for the above addressee only. If you are not the intended addressee you must not disclose or use the information in any manner whatsoever. Any opinion or views contained in this email message are those of the sender, do not represent those of the Company in any way and reliance should not be placed upon its contents. Unless otherwise stated this email message is not intended to be contractually binding. Where an Agreement exists between our respective companies and there is conflict between the contents of this email message and the Agreement then the terms of that Agreement shall prevail. Abbey National Treasury Services plc. Registered in England. Registered Office: Abbey House, Baker Street, London NW1 6XL. Company Registration No: 2338548. Regulated by the SFA ***
RE: Declarative security constraints
I have a general question regarding security constraints - if you are using the form based authentication - is the login page allowed to match one of the url-patterns in the security constraints. I found that this kind of set up goes into an infinite loop - understandably. The question is - it should be possible to detect this not go into an infinite loop? I couldnt find anything in the servlet spec 2.2 regarding this... thanks pratima -Original Message- From: Geddes, Mark (ANTS) [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 14, 2001 5:42 AM To: '[EMAIL PROTECTED]' Subject: RE: Declarative security constraints Craig wrote: Have you tried a URL pattern like this? url-pattern/action1.do/url-pattern The syntax of URL patterns used in security constraints is exactly like that used in servlet mappings, and this would be an exact match pattern for path /action1 (assuming you are using the usual *.do mapping for the controller servlet). Well I thought I had, but obviously I hadn't, as it works fine. Thanks. -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: 13 June 2001 18:04 To: Struts-User@Jakarta. Apache. Org (E-mail) Subject: Re: Declarative security constraints On Wed, 13 Jun 2001, Geddes, Mark (ANTS) wrote: I am using the security-constraint tag in web.xml to protect access to my pages. I have been unable to use this method to restrict access to specific requests, say 'action1.do'. I assume this is because only the resources are protected (i.e. the actual JSPs). The upshot is that I am protecting the whole web-app using url-pattern/*/url-pattern. This is fine. It is an intranet site and it means that I can use request.isUserInRole() and request.getUserPrincipal() in the confidence that I know the user has been forced to authenticate themselves. The problem comes when I want to restrict certain actions based upon the user's role. In the perform() method of my Action class I have to use request.isUserInRole(). I would like to be able to do this declaratively rather than programmatically, either using the security-constraint declaration in web.xml, or possibly as part of the action declaration in struts-config.xml. Question1: Have I missed something obvious in my use of the security-constraint mechanism? Have you tried a URL pattern like this? url-pattern/action1.do/url-pattern The syntax of URL patterns used in security constraints is exactly like that used in servlet mappings, and this would be an exact match pattern for path /action1 (assuming you are using the usual *.do mapping for the controller servlet). Question2: If not, would this make a useful extension to the Struts framework? I've thought about the idea of incorporating role-based checking into the controller servlet itself, but it seems like a duplication of what you can already do in the container (such as the above). However, a place where it might be useful is if you have a scripted workflow of some sort, and certain steps would be executed or skipped based on the roles possessed by the authenticated user. Thanks in advance. Mark Craig McClanahan *** This email message contains confidential information for the above addressee only. If you are not the intended addressee you must not disclose or use the information in any manner whatsoever. Any opinion or views contained in this email message are those of the sender, do not represent those of the Company in any way and reliance should not be placed upon its contents. Unless otherwise stated this email message is not intended to be contractually binding. Where an Agreement exists between our respective companies and there is conflict between the contents of this email message and the Agreement then the terms of that Agreement shall prevail. Abbey National Treasury Services plc. Registered in England. Registered Office: Abbey House, Baker Street, London NW1 6XL. Company Registration No: 2338548. Regulated by the SFA ***
RE: Declarative security constraints
On Thu, 14 Jun 2001, Gogineni, Pratima wrote: I have a general question regarding security constraints - if you are using the form based authentication - is the login page allowed to match one of the url-patterns in the security constraints. Yes it's allowed. Otherwise, you could not use a URL pattern like /* to protect the entire web application. I found that this kind of set up goes into an infinite loop - understandably. The question is - it should be possible to detect this not go into an infinite loop? I couldnt find anything in the servlet spec 2.2 regarding this... Tomcat 3.2, if I remember correctly, has problems with this. Tomcat 4.0 (and I'm sure other servers do to) handles it correctly. thanks pratima Craig
RE: Declarative security constraints
Okay that answers my question I guess - I tried this on tomcat3.2 -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 14, 2001 12:17 PM To: '[EMAIL PROTECTED]' Subject: RE: Declarative security constraints On Thu, 14 Jun 2001, Gogineni, Pratima wrote: I have a general question regarding security constraints - if you are using the form based authentication - is the login page allowed to match one of the url-patterns in the security constraints. Yes it's allowed. Otherwise, you could not use a URL pattern like /* to protect the entire web application. I found that this kind of set up goes into an infinite loop - understandably. The question is - it should be possible to detect this not go into an infinite loop? I couldnt find anything in the servlet spec 2.2 regarding this... Tomcat 3.2, if I remember correctly, has problems with this. Tomcat 4.0 (and I'm sure other servers do to) handles it correctly. thanks pratima Craig
Re: Declarative security constraints
On Wed, 13 Jun 2001, Geddes, Mark (ANTS) wrote: I am using the security-constraint tag in web.xml to protect access to my pages. I have been unable to use this method to restrict access to specific requests, say 'action1.do'. I assume this is because only the resources are protected (i.e. the actual JSPs). The upshot is that I am protecting the whole web-app using url-pattern/*/url-pattern. This is fine. It is an intranet site and it means that I can use request.isUserInRole() and request.getUserPrincipal() in the confidence that I know the user has been forced to authenticate themselves. The problem comes when I want to restrict certain actions based upon the user's role. In the perform() method of my Action class I have to use request.isUserInRole(). I would like to be able to do this declaratively rather than programmatically, either using the security-constraint declaration in web.xml, or possibly as part of the action declaration in struts-config.xml. Question1: Have I missed something obvious in my use of the security-constraint mechanism? Have you tried a URL pattern like this? url-pattern/action1.do/url-pattern The syntax of URL patterns used in security constraints is exactly like that used in servlet mappings, and this would be an exact match pattern for path /action1 (assuming you are using the usual *.do mapping for the controller servlet). Question2: If not, would this make a useful extension to the Struts framework? I've thought about the idea of incorporating role-based checking into the controller servlet itself, but it seems like a duplication of what you can already do in the container (such as the above). However, a place where it might be useful is if you have a scripted workflow of some sort, and certain steps would be executed or skipped based on the roles possessed by the authenticated user. Thanks in advance. Mark Craig McClanahan
