RE: Role based access?
Hi Pedro, I'm interested in your software, can you send it to me? Zsolt -Original Message- From: Pedro Salgado [mailto:[EMAIL PROTECTED] Sent: Thursday, January 01, 1970 1:09 AM To: Struts Users List Subject: Re: Role based access? If you need this kind of behaviour (Container Managed Security) I already implemented a very simple, free and open framework that allows to manage security over your application. I haven't made any documentation besides javadoc but, if you need any help, just send me an email. Pedro Salgado On 19/02/2004 06:04, Navjot Singh [EMAIL PROTECTED] wrote: in this case, Form is decalratively saying that it can be accessed only by userRole. Now when you use CMA, every user will be bound to to a role. RequestController compare the two roles one from user-in-request and other from ActionMapping/ActionConfig and continue.. However, you can also override the default behaviour of processRoles and go your own way. HTH Navjot Singh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 18, 2004 8:49 PM To: Struts Users Mailing List Subject: Role based access? Hi Guys, Struts-config.xml action attribute=Form roles=userRole How do i use this 'roles' attribute to implement role-based access. Thanks and Regards Subramaniam Olaganthan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Role based access?
If you need this kind of behaviour (Container Managed Security) I already implemented a very simple, free and open framework that allows to manage security over your application. I haven't made any documentation besides javadoc but, if you need any help, just send me an email. Pedro Salgado On 19/02/2004 06:04, Navjot Singh [EMAIL PROTECTED] wrote: in this case, Form is decalratively saying that it can be accessed only by userRole. Now when you use CMA, every user will be bound to to a role. RequestController compare the two roles one from user-in-request and other from ActionMapping/ActionConfig and continue.. However, you can also override the default behaviour of processRoles and go your own way. HTH Navjot Singh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 18, 2004 8:49 PM To: Struts Users Mailing List Subject: Role based access? Hi Guys, Struts-config.xml action attribute=Form roles=userRole How do i use this 'roles' attribute to implement role-based access. Thanks and Regards Subramaniam Olaganthan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Role based access?
You have to use JAAS. If you are not using JAAS and still want to use the roles attribute in your action mapping you have to override the processRoles method . On Wed, 2004-02-18 at 20:49 +0530, [EMAIL PROTECTED] wrote: Hi Guys, Struts-config.xml action attribute=Form roles=userRole How do i use this 'roles' attribute to implement role-based access. Thanks and Regards Subramaniam Olaganthan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Role based access?
Another option I believe is to let the j2ee container handle security. I'm not up on all the jargon, but I'm using roles and form-based security. Here are some code snippets from some relevant files: web.xml snippet: security-constraint web-resource-collection web-resource-nameGeneralAgent/web-resource-name url-pattern/do/generalAgent/*/url-pattern url-pattern/do/company/*/url-pattern url-pattern/do/reportOptions/*/url-pattern /web-resource-collection auth-constraint role-namega/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameAgent/web-resource-name url-pattern/do/login/* /url-pattern url-pattern/do/agent/* /url-pattern url-pattern/do/policy/* /url-pattern url-pattern/do/commissionStatement/* /url-pattern url-pattern/do/commissionStatementPrint/* /url-pattern /web-resource-collection auth-constraint role-namega/role-name role-namea/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/WEB-INF/jsp/Login.jsp/form-login-page form-error-page/WEB-INF/jsp/LoginBad.jsp/form-error-page /form-login-config /login-config security-role role-namea/role-name /security-role security-role role-namega/role-name /security-role Then in Tomcat's server.xml file (other containers should support something similar). Basically you can tell the container where to get a user's role from a database when they login. Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=com.microsoft.jdbc.sqlserver.SQLServerDriver connectionURL=jdbc:microsoft:sqlserver://BB-SERVER:1433;DatabaseName=commis sion;SelectMethod=cursor connectionName=dbLogin connectionPassword=dbPassword userTable=agent userNameCol=login userCredCol=password userRoleTable=agent roleNameCol=role / You also have to create the Login.jsp and LoginBad.jsp files. This link talks a little more about it. http://www.jguru.com/faq/view.jsp?EID=115231 -Original Message- From: Nadeem Bitar [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 18, 2004 12:30 PM To: Struts Users Mailing List Subject: Re: Role based access? You have to use JAAS. If you are not using JAAS and still want to use the roles attribute in your action mapping you have to override the processRoles method . On Wed, 2004-02-18 at 20:49 +0530, [EMAIL PROTECTED] wrote: Hi Guys, Struts-config.xml action attribute=Form roles=userRole How do i use this 'roles' attribute to implement role-based access. Thanks and Regards Subramaniam Olaganthan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Role based access?
Hi, Thanks for the info Nadeem.but processRoles method is in which Class. could you give me some samples. Thanks in advance Subramaniam Olaganthan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com Nadeem Bitar [EMAIL PROTECTED] 02/19/2004 12:59 AM Please respond to Struts Users Mailing List [EMAIL PROTECTED] To Struts Users Mailing List [EMAIL PROTECTED] cc Subject Re: Role based access? You have to use JAAS. If you are not using JAAS and still want to use the roles attribute in your action mapping you have to override the processRoles method . On Wed, 2004-02-18 at 20:49 +0530, [EMAIL PROTECTED] wrote: Hi Guys, Struts-config.xml action attribute=Form roles=userRole How do i use this 'roles' attribute to implement role-based access. Thanks and Regards Subramaniam Olaganthan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ForwardSourceID:NT3A5E DISCLAIMER: The information contained in this message is intended only and solely for the addressed individual or entity indicated in this message and for the exclusive use of the said addressed individual or entity indicated in this message (or responsible for delivery of the message to such person) and may contain legally privileged and confidential information belonging to Tata Consultancy Services. It must not be printed, read, copied, disclosed, forwarded, distributed or used (in whatsoever manner) by any person other than the addressee. Unauthorized use, disclosure or copying is strictly prohibited and may constitute unlawful act and can possibly attract legal action, civil and/or criminal. The contents of this message need not necessarily reflect or endorse the views of Tata Consultancy Services on any subject matter. Any action taken or omitted to be taken based on this message is entirely at your risk and neither the originator of this message nor Tata Consultancy Services takes any responsibility or liability towards the same. Opinions, conclusions and any other information contained in this message that do not relate to the official business of Tata Consultancy Services shall be understood as neither given nor endorsed by Tata Consultancy Services or any affiliate of Tata Consultancy Services. If you have received this message in error, you should destroy this message and may please notify the sender by e-mail. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Role based access?
processRoles method is in RequestProcessor.
You would do something like this:
boolean processRoles(HttpServletRequest request, HttpServletResponse
response, ActionMapping mapping) throws Exception{
String[] roles = mapping.getRoleNames();
if(roles == null || roles.length == 0)
return true
for(int i=0; iroles.length; i++){
//check if the current user is in any of the specified roles
//using your custom security scheme usually something like that
if(request.isUserInRole(roles[i]))
return true;
}
return false;
}
On Thu, 2004-02-19 at 01:26 +0530, [EMAIL PROTECTED] wrote:
Hi,
Thanks for the info Nadeem.but processRoles method is in which Class.
could you give me some samples.
Thanks in advance
Subramaniam Olaganthan
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com
Nadeem Bitar [EMAIL PROTECTED]
02/19/2004 12:59 AM
Please respond to
Struts Users Mailing List
[EMAIL PROTECTED]
To
Struts Users
Mailing List
struts-
[EMAIL PROTECTED]
apache.org
cc
Subject
Re: Role based
access?
You have to use JAAS. If you are not using JAAS and still want to use
the roles attribute in your action mapping you have to override the
processRoles method .
On Wed, 2004-02-18 at 20:49 +0530, [EMAIL PROTECTED] wrote:
Hi Guys,
Struts-config.xml
action attribute=Form roles=userRole
How do i use this 'roles' attribute to implement role-based access.
Thanks and Regards
Subramaniam Olaganthan
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
ForwardSourceID:NT3A5E
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Role based access?
You might want to do something similar to this on failure inaddition to code below:
response.sendError(
HttpServletResponse.SC_FORBIDDEN,
getInternal().getMessage(
notAuthorized,
mapping.getPath()));
Paul
Global Equity Derivatives Technology
Deutsche Bank [/]
Nadeem Bitar
[EMAIL PROTECTED]To: Struts Users Mailing List
[EMAIL PROTECTED]
m cc:
Subject: Re: Role based access?
18/02/2004 20:11
Please respond to
Struts Users
Mailing List
processRoles method is in RequestProcessor.
You would do something like this:
boolean processRoles(HttpServletRequest request, HttpServletResponse
response, ActionMapping mapping) throws Exception{
if(roles == null || roles.length == 0)
return true
for(int i=0; iroles.length; i++){
//using your custom security scheme usually something like that
if(request.isUserInRole(roles[i]))
return true;
}
return false;
}
On Thu, 2004-02-19 at 01:26 +0530, [EMAIL PROTECTED] wrote:
Hi,
Thanks for the info Nadeem.but processRoles method is in which Class.
could you give me some samples.
Thanks in advance
Subramaniam Olaganthan
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com
Nadeem Bitar [EMAIL PROTECTED]
02/19/2004 12:59 AM
Please respond to
Struts Users Mailing List
[EMAIL PROTECTED]
To
Struts Users
Mailing List
struts-
[EMAIL PROTECTED]
apache.org
cc
Subject
Re: Role based
access?
You have to use JAAS. If you are not using JAAS and still want to use
the roles attribute in your action mapping you have to override the
processRoles method .
On Wed, 2004-02-18 at 20:49 +0530, [EMAIL PROTECTED] wrote:
Hi Guys,
Struts-config.xml
action attribute=Form roles=userRole
How do i use this 'roles' attribute to implement role-based access.
Thanks and Regards
Subramaniam Olaganthan
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
ForwardSourceID:NT3A5E
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e
Re: Role based access?
If you override the RequestProcessor, I believe you will need to add this to the
struts-confg.xml:
controller
processorClass=com.db.gci.ge.epg.struts.tiles.LocalRequestProcessor locale=false
nocache=true inputForward=true /
Change it to suit your needs.
Paul
Global Equity Derivatives Technology
Deutsche Bank [/]
Nadeem Bitar
[EMAIL PROTECTED]To: Struts Users Mailing List
[EMAIL PROTECTED]
m cc:
Subject: Re: Role based access?
18/02/2004 20:11
Please respond to
Struts Users
Mailing List
processRoles method is in RequestProcessor.
You would do something like this:
boolean processRoles(HttpServletRequest request, HttpServletResponse
response, ActionMapping mapping) throws Exception{
if(roles == null || roles.length == 0)
return true
for(int i=0; iroles.length; i++){
//using your custom security scheme usually something like that
if(request.isUserInRole(roles[i]))
return true;
}
return false;
}
On Thu, 2004-02-19 at 01:26 +0530, [EMAIL PROTECTED] wrote:
Hi,
Thanks for the info Nadeem.but processRoles method is in which Class.
could you give me some samples.
Thanks in advance
Subramaniam Olaganthan
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com
Nadeem Bitar [EMAIL PROTECTED]
02/19/2004 12:59 AM
Please respond to
Struts Users Mailing List
[EMAIL PROTECTED]
To
Struts Users
Mailing List
struts-
[EMAIL PROTECTED]
apache.org
cc
Subject
Re: Role based
access?
You have to use JAAS. If you are not using JAAS and still want to use
the roles attribute in your action mapping you have to override the
processRoles method .
On Wed, 2004-02-18 at 20:49 +0530, [EMAIL PROTECTED] wrote:
Hi Guys,
Struts-config.xml
action attribute=Form roles=userRole
How do i use this 'roles' attribute to implement role-based access.
Thanks and Regards
Subramaniam Olaganthan
Tata Consultancy Services
Mailto: [EMAIL PROTECTED]
Website: http://www.tcs.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
ForwardSourceID:NT3A5E
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional
RE: Role based access?
in this case, Form is decalratively saying that it can be accessed only by userRole. Now when you use CMA, every user will be bound to to a role. RequestController compare the two roles one from user-in-request and other from ActionMapping/ActionConfig and continue.. However, you can also override the default behaviour of processRoles and go your own way. HTH Navjot Singh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 18, 2004 8:49 PM To: Struts Users Mailing List Subject: Role based access? Hi Guys, Struts-config.xml action attribute=Form roles=userRole How do i use this 'roles' attribute to implement role-based access. Thanks and Regards Subramaniam Olaganthan Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Role based access control
On Wed, 5 Feb 2003, Mohan Radhakrishnan wrote: Date: Wed, 5 Feb 2003 10:55:35 +0530 From: Mohan Radhakrishnan [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: 'Struts Users Mailing List' [EMAIL PROTECTED] Subject: Role based access control Hi, I have a basic doubt. Is this correct? 1. Role base authentication can only be used with login-config Without it the following doesn't work. tomcat-users.xml has an associated entry. security-constraint web-resource-collection web-resource-nameProtected Area/web-resource-name descriptionAccessible by only authorized users/description url-pattern/error/*.jsp/url-pattern /web-resource-collection user-data-constraint descriptionSSL not required/description transport-guaranteeNONE/transport-guarantee /user-data-constraint auth-constraint role-namesa/role-name /auth-constraint /security-constraint In a servlet 2.2 container, you're correct -- you have to use container managed security in order to leverage role-based authentication. In a servlet 2.3 container, it's possible to fake container managed security, using a javax.servlet.Filter implementation that overrides the request and response objects passed on to the servlet -- do a google search for securityfilter for one such project. Thanks, Mohan Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
