Hi guys, Thanks I appreciate all of your responses, Brandon I wasn't aware that JSP's within WEB-INF weren't publicly available - everyday's a school day :)
I'll just explain my current set up a bit more: - FORM-based auth - Custom SecurityInterceptor with a J2EESecuirtyManager which validates ACL against the domains secuirty realm for ActionBeans / Methods - jsp's have no security, user can request any jsp without been logged in I think the simplest solution to protect my jsp's would be a Servlet Filter. The filter will check if the jsp requested lives in the private directory, if it does check that the user is in session (logged in), if not forward to login page. If user is logged in continue with filter chain. Does that sound like a reasonable solution? Cheers, Phil On Tue, Jun 23, 2009 at 6:40 PM, Brandon Goodin<[email protected]> wrote: > I place my jsp pages into WEB-INF/jsp/. That prevents them from being > publicly viewable and requiring access to go through the controller. I get > the auto resolution in stripes by extending the NameBasedActionResolver and > overriding the findView method to look in the /WEB-INF/jsp/. > public class MyActionResolver extends NameBasedActionResolver { > protected Resolution findView(String urlBinding) { > return super.findView("/WEB-INF/jsp" + urlBinding); > } > } > As far as authentication and authorization. That can be accomplished in a > multitude of ways. Following are a few thoughts. > You could use a servlet filter that checks if > the user is logged in and checks access permission (using roles perhaps) is > one way. > * If user isn't logged in forward to a login page and/or provide a login > form on the publicly accessible pages. > * If user doesn't have permission redirect them to an access denied screen. > You could use a stripes interceptor in a similar manner as the servlet > filter. I prefer a serlvet filter simply because there may be greater needs > than just access to stripes actions. > You could also use straight up form based authentication servlet style if > your requirements are simple. > Brandon > > > On Tue, Jun 23, 2009 at 11:04 AM, phil darley > <[email protected]> wrote: >> >> Hi, >> >> I'm using Oscar's security solution for my ActionBean's and I was >> going to use a security constraint within the web.xml file to secure >> all my jsp's that sit within a /private/ directory. However I don't >> like this solution because it forces me to specify a rolename, I just >> want a user to be logged in - not have any specific role - for my app >> this would also mean adding a 'base' role to 500+ users. >> >> Is there a way to configure the SecurityInterceptor to do this i.e. >> intercept after the initial resource request, if URL contains >> /private/, send forward the SecurityManager. >> >> Cheers, >> Phil >> >> >> ------------------------------------------------------------------------------ >> Are you an open source citizen? Join us for the Open Source Bridge >> conference! >> Portland, OR, June 17-19. Two days of sessions, one day of unconference: >> $250. >> Need another reason to go? 24-hour hacker lounge. Register today! >> >> http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org >> _______________________________________________ >> Stripes-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/stripes-users > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Stripes-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/stripes-users > > ------------------------------------------------------------------------------ _______________________________________________ Stripes-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-users
