Subject: Re: User Authentication From: "David Bolsover" <[EMAIL PROTECTED]> === Vic
Thanks - you could well be right, my question may be better directed to web container or JAAS. What I do know is that using the web xml .. <security-constraint>, <auth-constraint> .. features is not sufficintly flexible for my needs -- I need to be able to create new users with new, as yet undefined security privileges, dynamically, with the webapp itself. My question I suppose is more about how to model the security privileges rather than how to implement. David "Vic C." <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]... > This is web container or a JAAS question. > It is hard to say based on your e-mail if you already did it or you are > asking how. > Typically, after the Struts application is constructed, JAAS is added. > Any Servlet 2.2 or Servlet 2.3 container has container based security. > What container are you using? > You would specify the JDBC relm table where the user id is stored. > In web xml you add a <security-constraint>, <auth-constraint> and > <login-config>. It will intercept request to a protected resource, > authenticate and then forward to requested page for you. 0 code! > http://www.onjava.com/pub/a/onjava/2001/07/24/tomcat.html > After you read up on JAAS and implement above feel free to ask again. > > To extend JAAS is easy. You can use a Servlet API to find the users role > and or name. (Based on that, you can enable and disable menu items in > Struts-menu. If there is more info, I create a bean in session that is > populated based on users role or name). > The thing about row based security is that it is the same screen and > fields that display different information. So the thing to do is have > your action send the users role or name to the model. The model would > then, in addition to your regular where, append a where user_id = ?, > thus only hits would return. > basebeans.com/book.jsp chapter 16 shows how to do row based security. > > This is web container or a JAAS question. > Did I say that already? Everyone ends up following the very old example > of the Struts sample application and writing the login screen when the > web container does it for you. CRUFT. > > Hth, > Vic > > > David Bolsover wrote: > > Hi all > > > > I have a Struts based app to which I need to add some moderately complex > > user access privileges. > > > > At present, users log-in using form based authentication and I then place a > > User object in session scope which is checked when a user requests a > > particular set of data to find out if the request is legal. Currently, the > > checks are just on product codes but this needs to be extended - see below. > > > > All data is held in a centura database > > > > Each user can access an individual customer account; each customer has > > several product codes, each product code may have several products - I need > > to be able to control the access each user has to the system in a reasonably > > fine-grained manner. > > > > Also, there are users who can access supplier accounts in similar fashion > > and there may be a future requirement for file access privilileges to be > > defined. > > > > Does anyone have any experience of systems that feature this type of access > > control? > > > > If so, any hints and tips would be welcome. > > > > regards > > > > David Bolsover > > [EMAIL PROTECTED] > > > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
