RE: Newbie: Using Struts with JAAS?
Hello, A simple home brew approach would be to develop a custom ActionMapping and use it. Then on every action(based on the request made) call the custom ActionMapping and check which groups are allows. This way you can divide the users in groups. And in your struts-config.xml's action mapping tag you can specify which groups it is allowed and similarly you can check if the requested user belongs to this group. In my opinion JAAS takes care of a lot of scenarios but its about 80-20 factor, if you can solve 80% of your possible problems by 20% approach it should work just fine. Hope this helps rajat -Original Message- From: Adam Lipscombe [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 16, 2004 3:39 PM To: 'Struts Users Mailing List' Subject: RE: Newbie: Using Struts with JAAS? Hi Joe, Thanks for that. I cant comment which approach most appropriate 'cos I haven't used them, Really I am looking for advice on which is the most practical "real-world" way to enforce security in a Struts 1.1 environment. I don't need anything fancy - just logging a user in and then preventing access to certain URL's, based on the users role. I have tight deadlines and cant afford to spend heaps of time researching and experimenting with the various security options. I need a simple example of something that works and is robust. In previous projects I have used home-grown security like the approach I mentioned originally. But having done some reading on JAAS and Tomcat security (realms) maybe these approaches are better? I don't want to re-invent anything. Thanks for your input Adam -Original Message- From: Joe Hertz [mailto:[EMAIL PROTECTED] Sent: 16 June 2004 10:22 To: 'Struts Users Mailing List' Subject: RE: Newbie: Using Struts with JAAS? You've got a middle case youre not mentioning. What's wrong with container managed/declarative security (ex: A JDBCRealm) or something a shade more robust like SecurityFilter? > -Original Message- > From: Adam Lipscombe [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 16, 2004 5:11 AM > To: 'Struts Users Mailing List' > Subject: Newbie: Using Struts with JAAS? > > > Folks, > > > I am struggling to understand how to use JAAS with Struts 1.1 I need a > simple-to-follow example. > > > The requirement is for standard authentication and permission > handling - logging a user in and checking that they have > permission to access an Action or URL. > > Should I use JAAS or home-grown security? > > If I go down the home-grown route logging in a user is no problem. > One way that occurs to me to enforce permissions is to put a > check into each JSP to ensure that the user has the > appropriate role to view that page and redirect if not. > > > What do people think? Is JAAS the way to go? > If JAAS, what are the advantages in a Struts context? > Is there a simple JAAS example somewhere that I can cut and > paste from? > > > > TIA - Adam > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Newbie: Using Struts with JAAS?
In my organization, we use JAAS with Struts through the RequestProcessor class. There are two cases: - With respect to authentication, we use an action (LogonAction) which is responsible for creating a JAAS subject in session. - With respect to authorization, simply extend RequestProcessor class from Struts, and overwrite method processActionPerform, to add some authorization logic based on JAAS (remember this is the point where all actions are created and invoked from Struts). Hope it can help, Enrique Medina. From: "Adam Lipscombe" <[EMAIL PROTECTED]> Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> Subject: Newbie: Using Struts with JAAS? Date: Wed, 16 Jun 2004 10:10:45 +0100 Folks, I am struggling to understand how to use JAAS with Struts 1.1 I need a simple-to-follow example. The requirement is for standard authentication and permission handling - logging a user in and checking that they have permission to access an Action or URL. Should I use JAAS or home-grown security? If I go down the home-grown route logging in a user is no problem. One way that occurs to me to enforce permissions is to put a check into each JSP to ensure that the user has the appropriate role to view that page and redirect if not. What do people think? Is JAAS the way to go? If JAAS, what are the advantages in a Struts context? Is there a simple JAAS example somewhere that I can cut and paste from? TIA - Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Descarga gratis la Barra de Herramientas de MSN http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Newbie: Using Struts with JAAS?
Hi Joe, Thanks for that. I cant comment which approach most appropriate 'cos I haven't used them, Really I am looking for advice on which is the most practical "real-world" way to enforce security in a Struts 1.1 environment. I don't need anything fancy - just logging a user in and then preventing access to certain URL's, based on the users role. I have tight deadlines and cant afford to spend heaps of time researching and experimenting with the various security options. I need a simple example of something that works and is robust. In previous projects I have used home-grown security like the approach I mentioned originally. But having done some reading on JAAS and Tomcat security (realms) maybe these approaches are better? I don't want to re-invent anything. Thanks for your input Adam -Original Message- From: Joe Hertz [mailto:[EMAIL PROTECTED] Sent: 16 June 2004 10:22 To: 'Struts Users Mailing List' Subject: RE: Newbie: Using Struts with JAAS? You've got a middle case youre not mentioning. What's wrong with container managed/declarative security (ex: A JDBCRealm) or something a shade more robust like SecurityFilter? > -Original Message- > From: Adam Lipscombe [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 16, 2004 5:11 AM > To: 'Struts Users Mailing List' > Subject: Newbie: Using Struts with JAAS? > > > Folks, > > > I am struggling to understand how to use JAAS with Struts 1.1 I need a > simple-to-follow example. > > > The requirement is for standard authentication and permission > handling - logging a user in and checking that they have > permission to access an Action or URL. > > Should I use JAAS or home-grown security? > > If I go down the home-grown route logging in a user is no problem. > One way that occurs to me to enforce permissions is to put a > check into each JSP to ensure that the user has the > appropriate role to view that page and redirect if not. > > > What do people think? Is JAAS the way to go? > If JAAS, what are the advantages in a Struts context? > Is there a simple JAAS example somewhere that I can cut and > paste from? > > > > TIA - Adam > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Newbie: Using Struts with JAAS?
Hi Adam, in tomcat 4.1.X there is an application (admin) that is based upon JAAS and struts. it uses MemoryRealm to identify the users. (a file "tomcat-users.xml" in $TOMCAT_HOME/conf) watch WEB.XML (for security-rules) and login.jps in $TOMCAT_HOME/server/webapps/admin there is also a simple logoutAction...: http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-4.0/webapps/admin/WEB-I NF/classes/org/apache/webapp/admin/LogOutAction.java?rev=1.1&view=markup hope that helps you! > -Original Message- > From: Adam Lipscombe [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 16, 2004 11:11 AM > To: 'Struts Users Mailing List' > Subject: Newbie: Using Struts with JAAS? > > > Folks, > > > I am struggling to understand how to use JAAS with Struts 1.1 > I need a simple-to-follow example. > > > The requirement is for standard authentication and permission > handling - logging a user in and checking that they have > permission to access an Action or URL. > > Should I use JAAS or home-grown security? > > If I go down the home-grown route logging in a user is no problem. > One way that occurs to me to enforce permissions is to put a > check into each JSP to ensure that the user has the > appropriate role to view that page and redirect if not. > > > What do people think? Is JAAS the way to go? > If JAAS, what are the advantages in a Struts context? > Is there a simple JAAS example somewhere that I can cut and > paste from? > > > > TIA - Adam > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie: Using Struts with JAAS?
Try looking at JGuard ! regds r-a-v-i - Original Message - From: "Adam Lipscombe" <[EMAIL PROTECTED]> To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> Sent: Wednesday, June 16, 2004 2:40 PM Subject: Newbie: Using Struts with JAAS? > Folks, > > > I am struggling to understand how to use JAAS with Struts 1.1 > I need a simple-to-follow example. > > > The requirement is for standard authentication and permission handling - > logging a user in and checking that they have permission to access an Action > or URL. > > Should I use JAAS or home-grown security? > > If I go down the home-grown route logging in a user is no problem. > One way that occurs to me to enforce permissions is to put a check into each > JSP to ensure that the user has the appropriate role to view that page and > redirect if not. > > > What do people think? Is JAAS the way to go? > If JAAS, what are the advantages in a Struts context? > Is there a simple JAAS example somewhere that I can cut and paste from? > > > > TIA - Adam > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Newbie: Using Struts with JAAS?
You've got a middle case youre not mentioning. What's wrong with container managed/declarative security (ex: A JDBCRealm) or something a shade more robust like SecurityFilter? > -Original Message- > From: Adam Lipscombe [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 16, 2004 5:11 AM > To: 'Struts Users Mailing List' > Subject: Newbie: Using Struts with JAAS? > > > Folks, > > > I am struggling to understand how to use JAAS with Struts 1.1 > I need a simple-to-follow example. > > > The requirement is for standard authentication and permission > handling - logging a user in and checking that they have > permission to access an Action or URL. > > Should I use JAAS or home-grown security? > > If I go down the home-grown route logging in a user is no problem. > One way that occurs to me to enforce permissions is to put a > check into each JSP to ensure that the user has the > appropriate role to view that page and redirect if not. > > > What do people think? Is JAAS the way to go? > If JAAS, what are the advantages in a Struts context? > Is there a simple JAAS example somewhere that I can cut and > paste from? > > > > TIA - Adam > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]