Greetings, I am nearing the completion of the code and it should be on sourceforge in the next day or two. I will be following it up with documentation and examples over the next week.
FYI - I am finishing up an overhaul on the code so that it fits into the container managed security and yet provides the neccessary flexibility that many of us need (i.e multiple login pages, prelogin capabilities, and maintained logins). I have accomplished this by creating a plugin of sorts. This plugin uses two mechanisms a Filter Class and a Servlet Class. I have named the Servlet Class "Security Controller Servlet" because it handles the validation against the conatiner managed security by receiving the form calls and preparing the container to validate. The filter works to identify protected urls which are specified in the security.xml file. Set up should be pretty easy: Within your web.xml you set up a "bogus" security-constraint that uses the "Security Controller Servlet" as it's error page and login page. Also, the "SCS"(Security Controller Servlet) is set as the 403 error page (forbidden error). You also set up the SecurityInit class to initialize upon app start in the web.xml. Also set up is a security.xml file that defines various Security Constraints that map to different login pages. So that if someone request www.mydomain.com/shopping/ it takes them to the shopping login page versus if someone request www.mydomain.com/admin/ it would take them to the admin login page. Another convienience is that you can login from any page you want to. You don't have to hit a secure url first. You can have a login/pass on your homepage or even an auto login that uses cookies. When you start your app up the security.xml file is read into an Application scope bean that provides the info for the URL Filter class to screen protected URLS. The nice thing about this is that all of the programmatic methods are available to do container based role checking. This is good because many api's like "tiles" and "struts menu" are looking to take advantage of these methods more and more. I have not tested this code on other containers. It uses RequestDispatcher and response.sendRedirect() classes and methods inconcert with a Filter. So, behavior may be different on various containers. I am testing it now on Tomcat 4.0.3. A Servlet 2.3 container is neccessary. Other dependencies are commons-digester from Jakarta. This security is not struts specific. But, is developed to fit into a struts app. Anyhow, I'm working hard to get this up and I hope it suits many peoples needs. I am sure there are many other features that we could add to it. I have been working in a vaccuum on this so when it is realeased things may need to change. I look forward to hearing back from you. Thanks, Brandon Goodin Phase Web and Multimedia P (406) 862-2245 F (406) 862-0354 [EMAIL PROTECTED] http://www.phase.ws -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, April 15, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: struts security Good evening Brandon, I read of your work on the archives and I would like to check out your solution. I've been looking for a clear cut security solution but have not found one yet. Please let me know when I can get a hold of your code and any examples you may have. Thanks much. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
