Struts2 and Security
Hi All, We are on the way to develop a new application using struts2. Currently we are analysing the area of authentication and authorization, we do have some options of using the following frame work for these 1) Acegi 2)JAAS my point is that we any one in the list is using any of the security frame work.please let me know about there experiences, so that it will help us in choosing the right security model. regarding the pltfrom we have decided to use is as follows 1) Struts2 2) JSP/Velocity 3) Hibernate 4) YUI these are the core building block rest technologies and frame work can be choosen as required looking forward for your valuable suggestions. thannks in advance aum
Re: Struts2 and Security
I can't speak in too much depth about JAAS in general, nor about certain aspects of Acegi, but we've been using Acegi (now Spring Security) in production with a Struts 2 site for a couple of months and we are very pleased with the relative ease of implementation. Without knowing what you want out of a security system I can't really provide more information. We're using Spring Security to access a few simple database tables that provide user authentication and authorization info. I haven't tried integrating it with the client's Active Directory setup yet so I can't speak to clever stuff like that. jk On Fri, Jun 19, 2009 at 3:20 AM, aum strut wrote: > Hi All, > > We are on the way to develop a new application using struts2. Currently we > are analysing the area of authentication and authorization, we do have some > options of using the following frame work for these > > 1) Acegi > 2)JAAS > > my point is that we any one in the list is using any of the security frame > work.please let me know about there experiences, so that it will help us in > choosing the right security model. > > regarding the pltfrom we have decided to use is as follows > > 1) Struts2 > 2) JSP/Velocity > 3) Hibernate > 4) YUI > > these are the core building block rest technologies and frame work can be > choosen as required > > looking forward for your valuable suggestions. > > thannks in advance > aum > -- Jim Kiley Senior Technical Consultant | Summa [p] 412.258.3346 http://www.summa-tech.com
RE: Struts2 and Security
I developed an webapp about a year ago, using struts 2 and a security package called (at the time) jsecurity. Since then, jsecurity has become an apache project and has been renamed Apache Ki/Shiro. I guess that there was a naming conflict with the "Ki" name, so it is now called Apache Shiro (as of very recently). http://www.jsecurity.org/ (old independent website) http://incubator.apache.org/ki/ (apache website - probably soon to be renamed shiro) Naming issues aside, this was an excellent security package providing authentication and authorization that was pretty easy to learn, flexible, and very powerful. The support that I received from the project's founders was second to none (Thanks Les & Jeremy!). One of my colleagues here at KU, Bruce Phillips, has also posted some tutorials (linked to from the apache website) to get you started. You should really check into it. Todd Kofford tkoff...@ku.edu University of Kansas - IT -Original Message- From: aum strut [mailto:aum.str...@gmail.com] Sent: Friday, June 19, 2009 2:20 AM To: Struts Users Mailing List Subject: Struts2 and Security Hi All, We are on the way to develop a new application using struts2. Currently we are analysing the area of authentication and authorization, we do have some options of using the following frame work for these 1) Acegi 2)JAAS my point is that we any one in the list is using any of the security frame work.please let me know about there experiences, so that it will help us in choosing the right security model. regarding the pltfrom we have decided to use is as follows 1) Struts2 2) JSP/Velocity 3) Hibernate 4) YUI these are the core building block rest technologies and frame work can be choosen as required looking forward for your valuable suggestions. thannks in advance aum - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: Struts2 and Security
Hi Todd, I hope you don't mind that I am emailing you directly. I am about to start work on an immigration project for Belize using Struts2. I am new to struts but wanted to use it for this project. I am using MySQL for my database and have 30+ tables. I also have a table for users, password etc. However, after reading your post, I became very interested in using jsecurity instead of having to worry about implementing authentication etc. myself. I have downloaded the zip file from the URL you provided. However, I was wondering if it is possible that I see some sample of your app where you actually use jsecurity with struts2. I am clueless about how to combine jsecurity with struts and also how to incorporate it with my existing database etc. I usually learn better by seeing a working example where I can adapt ideas of it to suite my needs. If it is not too much trouble, could you send me some aspects of your struts2 project where you used jsecurity? I would appreciate your help greatly. Thank you for any assistance you can provide. Kind Regards, Farshad Rabbani > Subject: RE: Struts2 and Security > Date: Fri, 19 Jun 2009 08:27:38 -0500 > From: tkoff...@ku.edu > To: user@struts.apache.org > > I developed an webapp about a year ago, using struts 2 and a security > package called (at the time) jsecurity. Since then, jsecurity has become > an apache project and has been renamed Apache Ki/Shiro. I guess that > there was a naming conflict with the "Ki" name, so it is now called > Apache Shiro (as of very recently). > http://www.jsecurity.org/ (old independent website) > http://incubator.apache.org/ki/ (apache website - probably soon to be > renamed shiro) > > Naming issues aside, this was an excellent security package providing > authentication and authorization that was pretty easy to learn, > flexible, and very powerful. The support that I received from the > project's founders was second to none (Thanks Les & Jeremy!). One of my > colleagues here at KU, Bruce Phillips, has also posted some tutorials > (linked to from the apache website) to get you started. > > You should really check into it. > > Todd Kofford > tkoff...@ku.edu > University of Kansas - IT > > > -Original Message- > From: aum strut [mailto:aum.str...@gmail.com] > Sent: Friday, June 19, 2009 2:20 AM > To: Struts Users Mailing List > Subject: Struts2 and Security > > Hi All, > > We are on the way to develop a new application using struts2. Currently > we > are analysing the area of authentication and authorization, we do have > some > options of using the following frame work for these > > 1) Acegi > 2)JAAS > > my point is that we any one in the list is using any of the security > frame > work.please let me know about there experiences, so that it will help us > in > choosing the right security model. > > regarding the pltfrom we have decided to use is as follows > > 1) Struts2 > 2) JSP/Velocity > 3) Hibernate > 4) YUI > > these are the core building block rest technologies and frame work can > be > choosen as required > > looking forward for your valuable suggestions. > > thannks in advance > aum > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > _ Windows Live™ SkyDrive™: Get 25 GB of free online storage. http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_25GB_062009
Re: Struts2 and Security
Hi Farshad, I hope you don't mind that your direct email to Todd went to the whole list. jk On Fri, Jun 19, 2009 at 8:02 PM, Farshad Rabbani wrote: > > Hi Todd, > > > > I hope you don't mind that I am emailing you directly. I am > about to start work on an immigration project for Belize using Struts2. I > am new to struts but wanted to use it for this project. I am using MySQL > for my database and have 30+ tables. I also have a table for users, > password etc. However, after reading your post, I became very interested in > using jsecurity instead of having to worry about implementing authentication > etc. myself. I have downloaded the zip file from the URL you provided. > However, I was wondering if it is possible that I see some sample of your > app where you actually use jsecurity with struts2. I am clueless about how > to combine jsecurity with struts and also how to incorporate it with my > existing database etc. I usually learn better by seeing a working example > where I can adapt ideas of it to suite my needs. If it is not too much > trouble, could you send me some aspects of your struts2 project where you > used jsecurity? I would appreciate your help greatly. Thank you for any > assistance you can provide. > > > > Kind Regards, > > Farshad Rabbani > > > > > > Subject: RE: Struts2 and Security > > Date: Fri, 19 Jun 2009 08:27:38 -0500 > > From: tkoff...@ku.edu > > To: user@struts.apache.org > > > > I developed an webapp about a year ago, using struts 2 and a security > > package called (at the time) jsecurity. Since then, jsecurity has become > > an apache project and has been renamed Apache Ki/Shiro. I guess that > > there was a naming conflict with the "Ki" name, so it is now called > > Apache Shiro (as of very recently). > > http://www.jsecurity.org/ (old independent website) > > http://incubator.apache.org/ki/ (apache website - probably soon to be > > renamed shiro) > > > > Naming issues aside, this was an excellent security package providing > > authentication and authorization that was pretty easy to learn, > > flexible, and very powerful. The support that I received from the > > project's founders was second to none (Thanks Les & Jeremy!). One of my > > colleagues here at KU, Bruce Phillips, has also posted some tutorials > > (linked to from the apache website) to get you started. > > > > You should really check into it. > > > > Todd Kofford > > tkoff...@ku.edu > > University of Kansas - IT > > > > > > -Original Message- > > From: aum strut [mailto:aum.str...@gmail.com] > > Sent: Friday, June 19, 2009 2:20 AM > > To: Struts Users Mailing List > > Subject: Struts2 and Security > > > > Hi All, > > > > We are on the way to develop a new application using struts2. Currently > > we > > are analysing the area of authentication and authorization, we do have > > some > > options of using the following frame work for these > > > > 1) Acegi > > 2)JAAS > > > > my point is that we any one in the list is using any of the security > > frame > > work.please let me know about there experiences, so that it will help us > > in > > choosing the right security model. > > > > regarding the pltfrom we have decided to use is as follows > > > > 1) Struts2 > > 2) JSP/Velocity > > 3) Hibernate > > 4) YUI > > > > these are the core building block rest technologies and frame work can > > be > > choosen as required > > > > looking forward for your valuable suggestions. > > > > thannks in advance > > aum > > > > - > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > For additional commands, e-mail: user-h...@struts.apache.org > > > > _ > Windows Live™ SkyDrive™: Get 25 GB of free online storage. > http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_25GB_062009 -- Jim Kiley Senior Technical Consultant | Summa [p] 412.258.3346 http://www.summa-tech.com
Re: Struts2 and Security
We have used Spring Security in the last 10 struts2 apps. We have some that use a local user store in the database, others that use LDAP to AD and some that use Atlassian's Crowd. Spring Security is very easy to add to your app and gives just about everything you need I have not ventured into some of the more advanced ACL features for securing individual objects, but it is also fairly straight forward to provide method level security. A good example of Spring Security implemented on top of Struts2 is the appfuse framework. http://appfuse.org. aum strut wrote: > > Hi All, > > We are on the way to develop a new application using struts2. Currently we > are analysing the area of authentication and authorization, we do have > some > options of using the following frame work for these > > 1) Acegi > 2)JAAS > > my point is that we any one in the list is using any of the security frame > work.please let me know about there experiences, so that it will help us > in > choosing the right security model. > > regarding the pltfrom we have decided to use is as follows > > 1) Struts2 > 2) JSP/Velocity > 3) Hibernate > 4) YUI > > these are the core building block rest technologies and frame work can be > choosen as required > > looking forward for your valuable suggestions. > > thannks in advance > aum > > -- View this message in context: http://www.nabble.com/Struts2-and-Security-tp24106660p24132071.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 and Security
Hi All, my main point was also this we were about to choose Spring Security but as we are not going to use Spring in our application so we were just a bit confused (:) ) if we can use this frame work even without using Spring?? hope to get some light over this. On Sun, Jun 21, 2009 at 12:37 PM, dusty wrote: > > We have used Spring Security in the last 10 struts2 apps. We have some > that > use a local user store in the database, others that use LDAP to AD and some > that use Atlassian's Crowd. > > Spring Security is very easy to add to your app and gives just about > everything you need I have not ventured into some of the more advanced > ACL features for securing individual objects, but it is also fairly > straight > forward to provide method level security. > > A good example of Spring Security implemented on top of Struts2 is the > appfuse framework. http://appfuse.org. > > > > > aum strut wrote: > > > > Hi All, > > > > We are on the way to develop a new application using struts2. Currently > we > > are analysing the area of authentication and authorization, we do have > > some > > options of using the following frame work for these > > > > 1) Acegi > > 2)JAAS > > > > my point is that we any one in the list is using any of the security > frame > > work.please let me know about there experiences, so that it will help us > > in > > choosing the right security model. > > > > regarding the pltfrom we have decided to use is as follows > > > > 1) Struts2 > > 2) JSP/Velocity > > 3) Hibernate > > 4) YUI > > > > these are the core building block rest technologies and frame work can be > > choosen as required > > > > looking forward for your valuable suggestions. > > > > thannks in advance > > aum > > > > > > -- > View this message in context: > http://www.nabble.com/Struts2-and-Security-tp24106660p24132071.html > Sent from the Struts - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Struts2 and Security
Although Spring Security may have some dependencies on the Spring Framework, the inclusion of those libraries should not affect the rest of your application if you do not intend to use Spring for Dependency Injection, etc. In fact, the only trouble would be if you did use Spring and had some requirement for an older version that Spring Security doesn't support. Spring Security is implemented through a HTTP filter so it runs outside of your S2 application and wraps the requests. You can make static calls to SecurityContext inside your struts actions to find out information about the currently logged in user. Often, people will wrap these types of calls in a facade to insulate their application from any Spring-type imports/dependencies in case they wanted to change security providers in the future. -D aum strut wrote: > > Hi All, > > my main point was also this we were about to choose Spring Security but as > we are not going to use Spring in our application so we were just a bit > confused (:) ) if we can use this frame work even without using Spring?? > > hope to get some light over this. > > On Sun, Jun 21, 2009 at 12:37 PM, dusty wrote: > >> >> We have used Spring Security in the last 10 struts2 apps. We have some >> that >> use a local user store in the database, others that use LDAP to AD and >> some >> that use Atlassian's Crowd. >> >> Spring Security is very easy to add to your app and gives just about >> everything you need I have not ventured into some of the more >> advanced >> ACL features for securing individual objects, but it is also fairly >> straight >> forward to provide method level security. >> >> A good example of Spring Security implemented on top of Struts2 is the >> appfuse framework. http://appfuse.org. >> >> >> >> >> aum strut wrote: >> > >> > Hi All, >> > >> > We are on the way to develop a new application using struts2. Currently >> we >> > are analysing the area of authentication and authorization, we do have >> > some >> > options of using the following frame work for these >> > >> > 1) Acegi >> > 2)JAAS >> > >> > my point is that we any one in the list is using any of the security >> frame >> > work.please let me know about there experiences, so that it will help >> us >> > in >> > choosing the right security model. >> > >> > regarding the pltfrom we have decided to use is as follows >> > >> > 1) Struts2 >> > 2) JSP/Velocity >> > 3) Hibernate >> > 4) YUI >> > >> > these are the core building block rest technologies and frame work can >> be >> > choosen as required >> > >> > looking forward for your valuable suggestions. >> > >> > thannks in advance >> > aum >> > >> > >> >> -- >> View this message in context: >> http://www.nabble.com/Struts2-and-Security-tp24106660p24132071.html >> Sent from the Struts - User mailing list archive at Nabble.com. >> >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> > > -- View this message in context: http://www.nabble.com/Struts2-and-Security-tp24106660p24141796.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 and Security
aum strut wrote: my main point was also this we were about to choose Spring Security but as we are not going to use Spring in our application so we were just a bit confused (:) ) if we can use this frame work even without using Spring?? You want to use Spring Security without Spring? Dave - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 and Security
Dave Our requirement is to use good authentication framework for our application and as per the initial application draft we are not going to use spring in our application. as we have found that Spring Security is quite a matured framework so we are just investigating the option, if we can use it without using spring at all, but as suggested if we can use it by including only some libraries than this is not a bad choice at all. Thanks Dustin for detailed explanation, we are surely going to dig in to this frame work. On Mon, Jun 22, 2009 at 3:38 PM, Dave Newton wrote: > aum strut wrote: > >> my main point was also this we were about to choose Spring Security but as >> we are not going to use Spring in our application so we were just a bit >> confused (:) ) if we can use this frame work even without using Spring?? >> > > You want to use Spring Security without Spring? > > Dave > > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Struts2 and Security
aum strut wrote: Our requirement is to use good authentication framework for our application and as per the initial application draft we are not going to use spring in our application. as we have found that Spring Security is quite a matured framework so we are just investigating the option, if we can use it without using spring at all, but as suggested if we can use it by including only some libraries than this is not a bad choice at all. I'm pretty sure that Spring Security requires the use of Spring--I'm not sure how this fact can escape you. Here's the first sentence of the first paragraph on the Spring Security site: "Spring Security is one of the most mature and widely used Spring projects." Just because Spring isn't being used by anything *else* in your app doesn't mean it doesn't use Spring. (It's difficult for me to understand why you'd not want to use Spring anywhere else in the app, unless you're using another IoC/DI solution.) Dave - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts2 and Security
Thanks Dave for the details, as my self also not very much known about the spring so may be we have to look in to this and in the draft in more details. On Tue, Jun 23, 2009 at 5:54 PM, Dave Newton wrote: > aum strut wrote: > >> Our requirement is to use good authentication framework for our >> application >> and as per the initial application draft we are not going to use spring in >> our application. >> >> as we have found that Spring Security is quite a matured framework so we >> are >> just investigating the option, if we can use it without using spring at >> all, >> but as suggested if we can use it by including only some libraries than >> this >> is not a bad choice at all. >> > > I'm pretty sure that Spring Security requires the use of Spring--I'm not > sure how this fact can escape you. Here's the first sentence of the first > paragraph on the Spring Security site: > > "Spring Security is one of the most mature and widely used Spring > projects." > > Just because Spring isn't being used by anything *else* in your app doesn't > mean it doesn't use Spring. > > (It's difficult for me to understand why you'd not want to use Spring > anywhere else in the app, unless you're using another IoC/DI solution.) > > > Dave > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
