RE: The best practices regarding secure JSP and Action classes
Using sessions? Have you used servlet roles before? chanoch - The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, recipients should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments. -Original Message- From: Hoang, Hai [mailto:[EMAIL PROTECTED]] Sent: 14 October 2002 15:23 To: 'struts-user' Subject: The best practices regarding secure JSP and Action classes I want to secure the admin portion of my application from unauthorized users. What is the best way to achieve this task? Should I include a CheckUser tag on every jsp pages and call a CheckUser function on every single action class? I don't want the user to just key in the direct url of the jsp page or calling the action class directly. But doing this, I've to go to the database twice on every action. Do you know a better way? _ Introducing the all new and improved continental.com. With a totally new personalized design, it's the best place to go. Before you go. Continental Airlines. Work Hard. Fly Right. http://www.continental.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: The best practices regarding secure JSP and Action classes
- setup container-managed authentication - as a server-configured service - as a filter (see securityfilter.sourceforge.net) - see your servlet container user guide for setup of non-filter-based solution - in your web.xml - declare the roles you will use - declare the URLs etc - see the servlet specification for how to configure this The web.xml config applies to the non-filter-based approach I *think*. See the filter's site for more information on how to configure that particular one. If you push your authentication/authorization up to the server level, you don't have to have nasty hacks in all of your protected JSPs. Just make the auth work and specify the mappings it holds true for. Other good references on this topic include Java Servlet Programming (Jason Hunter - O'Reilly) and Java Server Pages (Hans Bergsten - O'Reilly). There are probably other resources available that outline how to configure your deployment descriptor (web.xml) for this. Hoang, Hai wrote: I want to secure the admin portion of my application from unauthorized users. What is the best way to achieve this task? Should I include a CheckUser tag on every jsp pages and call a CheckUser function on every single action class? I don't want the user to just key in the direct url of the jsp page or calling the action class directly. But doing this, I've to go to the database twice on every action. Do you know a better way? -- Eddie Bush -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: The best practices regarding secure JSP and Action classes
I already have my own database driven security model. Once a user logon I already know his role. But the problem is that how do I make this security model to work with the container-managed model so I don't have to check every on single page. Hai -Original Message- From: Eddie Bush [mailto:[EMAIL PROTECTED]] Sent: Monday, October 14, 2002 9:38 AM To: Struts Users Mailing List Subject: Re: The best practices regarding secure JSP and Action classes - setup container-managed authentication - as a server-configured service - as a filter (see securityfilter.sourceforge.net) - see your servlet container user guide for setup of non-filter-based solution - in your web.xml - declare the roles you will use - declare the URLs etc - see the servlet specification for how to configure this The web.xml config applies to the non-filter-based approach I *think*. See the filter's site for more information on how to configure that particular one. If you push your authentication/authorization up to the server level, you don't have to have nasty hacks in all of your protected JSPs. Just make the auth work and specify the mappings it holds true for. Other good references on this topic include Java Servlet Programming (Jason Hunter - O'Reilly) and Java Server Pages (Hans Bergsten - O'Reilly). There are probably other resources available that outline how to configure your deployment descriptor (web.xml) for this. Hoang, Hai wrote: I want to secure the admin portion of my application from unauthorized users. What is the best way to achieve this task? Should I include a CheckUser tag on every jsp pages and call a CheckUser function on every single action class? I don't want the user to just key in the direct url of the jsp page or calling the action class directly. But doing this, I've to go to the database twice on every action. Do you know a better way? -- Eddie Bush -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ Introducing the all new and improved continental.com. With a totally new personalized design, it's the best place to go. Before you go. Continental Airlines. Work Hard. Fly Right. http://www.continental.com
RE: The best practices regarding secure JSP and Action classes
Just use security-constraint in your web.xml deployment descriptor. For example: security-constraint web-resource-collection web-resource-name Private resources /web-resource-name url-pattern /private /url-pattern /web-resource-collection auth-constraint role-namemember/role-name /auth-constraint user-data-constraint transport-guarantee NONE /transport-guarantee /user-data-constraint /security-constraint The above will make all pages/actions/anything in app/private require a logon. You will also have to tell web.xml what type of logon to use. -AP_ http://www.myprofiles.com/member/profile/apara_personal -Original Message- From: Hoang, Hai [mailto:[EMAIL PROTECTED]] Sent: Monday, October 14, 2002 7:44 AM To: 'Struts Users Mailing List' Subject: RE: The best practices regarding secure JSP and Action classes I already have my own database driven security model. Once a user logon I already know his role. But the problem is that how do I make this security model to work with the container-managed model so I don't have to check every on single page. Hai -Original Message- From: Eddie Bush [mailto:[EMAIL PROTECTED]] Sent: Monday, October 14, 2002 9:38 AM To: Struts Users Mailing List Subject: Re: The best practices regarding secure JSP and Action classes - setup container-managed authentication - as a server-configured service - as a filter (see securityfilter.sourceforge.net) - see your servlet container user guide for setup of non-filter-based solution - in your web.xml - declare the roles you will use - declare the URLs etc - see the servlet specification for how to configure this The web.xml config applies to the non-filter-based approach I *think*. See the filter's site for more information on how to configure that particular one. If you push your authentication/authorization up to the server level, you don't have to have nasty hacks in all of your protected JSPs. Just make the auth work and specify the mappings it holds true for. Other good references on this topic include Java Servlet Programming (Jason Hunter - O'Reilly) and Java Server Pages (Hans Bergsten - O'Reilly). There are probably other resources available that outline how to configure your deployment descriptor (web.xml) for this. Hoang, Hai wrote: I want to secure the admin portion of my application from unauthorized users. What is the best way to achieve this task? Should I include a CheckUser tag on every jsp pages and call a CheckUser function on every single action class? I don't want the user to just key in the direct url of the jsp page or calling the action class directly. But doing this, I've to go to the database twice on every action. Do you know a better way? -- Eddie Bush -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ Introducing the all new and improved continental.com. With a totally new personalized design, it's the best place to go. Before you go. Continental Airlines. Work Hard. Fly Right. http://www.continental.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: The best practices regarding secure JSP and Action classes
It's not a question of making your model work with CMA. You would use one or the other. Most likely (unless you have odd needs), the functionality provided by CMA will suffice to meet your goals. Once you have CMA setup there is *one* hit to authenticate the user - and that information is then maintained by the server and is available through *standard* methods (which your database-driven scheme cannot boast, I think) which will allow Struts to be selective about which options it gives the user (if you configure it to do so). CMA just does it. It will check when a protected resource is requested and see if the user is authenticated. If they are not - boom - they have to authenticate. You no longer have to check on every page. Checking on every page is (IMHO) a hack. Please go read up on Container-Managed Authentication. Either grab a copy of the servlet spec or search the web. There is a lot of general information about it. For information about configuring it with *your* servlet container, see your container's handbook (user guide). If you're using Tomcat, and you can access your database via JDBC, check out JDBCRealm. If you don't think that's a good fit you might check out Max Cooper's (I think that's his name) project on SourceForge - the project is securityfilter, I think. Hoang, Hai wrote: I already have my own database driven security model. Once a user logon I already know his role. But the problem is that how do I make this security model to work with the container-managed model so I don't have to check every on single page. Hai -- Eddie Bush -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: The best practices regarding secure JSP and Action classes
Use JDBC relms that read your db. Hoang, Hai wrote: I already have my own database driven security model. Once a user logon I already know his role. But the problem is that how do I make this security model to work with the container-managed model so I don't have to check every on single page. Hai -Original Message- From: Eddie Bush [mailto:[EMAIL PROTECTED]] Sent: Monday, October 14, 2002 9:38 AM To: Struts Users Mailing List Subject: Re: The best practices regarding secure JSP and Action classes - setup container-managed authentication - as a server-configured service - as a filter (see securityfilter.sourceforge.net) - see your servlet container user guide for setup of non-filter-based solution - in your web.xml - declare the roles you will use - declare the URLs etc - see the servlet specification for how to configure this The web.xml config applies to the non-filter-based approach I *think*. See the filter's site for more information on how to configure that particular one. If you push your authentication/authorization up to the server level, you don't have to have nasty hacks in all of your protected JSPs. Just make the auth work and specify the mappings it holds true for. Other good references on this topic include Java Servlet Programming (Jason Hunter - O'Reilly) and Java Server Pages (Hans Bergsten - O'Reilly). There are probably other resources available that outline how to configure your deployment descriptor (web.xml) for this. Hoang, Hai wrote: I want to secure the admin portion of my application from unauthorized users. What is the best way to achieve this task? Should I include a CheckUser tag on every jsp pages and call a CheckUser function on every single action class? I don't want the user to just key in the direct url of the jsp page or calling the action class directly. But doing this, I've to go to the database twice on every action. Do you know a better way? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
