Re: Role-based security

[Chris Miller]

Yep I agree it's bad practice, I'm really just pointing out that it's a possibility that should be taken into account. Guaranteed that someone somewhere will want to have users and groups with the same name, and use Struts :-/   Otherwise tho (and I admit I haven't had time to try your code), what you've created sounds good to me :-) ----- Original Message ----- From: Nic Hobbs To: [EMAIL PROTECTED] Sent: Monday, July 30, 2001 9:39 AM Subject: Re: Role-based security IMHO This is bad practice anyway but if necessary it is easy to change to accept users and groups. ----- Original Message ----- From: Chris Miller To: [EMAIL PROTECTED] Sent: Friday, July 27, 2001 6:23 PM Subject: Re: Role-based security Won't combining the users and groups into a single list in the action element cause problems if there's a user with the same name as a group? ----- Original Message ----- From: Nic Hobbs To: [EMAIL PROTECTED] Sent: Friday, July 27, 2001 4:14 PM Subject: Role-based security Well the ideas for security solidified themselves first - so here is my first attempt - any comments welcome!   I have included in the zip the files I have changed to implement role based security in struts as it stands. There is not a lot in fact.   The basis is as follows. I have extended the struts-config.dtd to add a 'roles' attribute to the 'action' element which can hold a comma separated list of principals (either users or groups) to be checked for each action. The ActionMapping has been extended to add the getters and setters for this attribute. The ActionServlet has an extra call in the processMapping method (if I remember correctly) to call the security check which throws a GeneralSecurityException if there is a problem, which is detected and appropriate action taken (more on this later). I have added two classes. ActionSecurity and ActionSecurityFactory. The ActionSecurity implements the check on the user principal and their roles. It is created by the factory class which picks up the class from the web.xml (via the ActionServlet) which it should instantiate to do the checks. By default this is the ActionSecurity class. This provides two methods checkSecurityRoles which does the main work of checking against getUserPrinicipal and isUserInRole; and mapRoles which can be overridden if necessary. At the moment roles defined in the struts-config.xml must match the principals and groups specific to the app server you are running on rather than the security roles (which may be different) that can be defined in the deployment descriptors for declarative security. This is the default behaviour. If it is possible to discover these mappings in the app server you are using you can create a subclass of ActionSecurity and override the mapRoles method to map between the actual roles and the declared roles. I doubt this is possible in many app servers but have included the hook for the sake of completeness. If you create a subclass define a parameter in the web.xml called securityFactory with the full package scoped classname of the new class. Et voila!   But what happens when the user is found to not be in the correct role? At the moment the user just gets a page not found at the browser level which is good in one way in that if a user went to the URL directly they wouldn't know if the URL is correct or not but we may want it to go to a specific (configurable) 'illegal access' page or something similar. Comments?   I don't know what other ideas people had for this piece so let me know if this is not the sort of thing you were expecting and I'll see what I can do!   Regards,   Nic   PS. Future (easy) extensions may be allowed roles and disallowed roles etc. Let me know...