Excellent explanation, Erik. Consider adding this to the Struts Wiki for posterity? Must be a place for it in there somewhere ...
Erik Weber <[EMAIL PROTECTED]> wrote on 08/19/2004 08:31:08 AM: > Sorry, by "hand-rolled" I just mean one that is written specifically for > the application (written by you). > > The general idea is something like this: > > Make a BaseAction class. > > Implement a checkLogin method in the BaseAction class that looks in the > current request's HttpSession for a "User" object, which you would have > placed into the session in your LoginAction. > Implement a checkPermission method in the BaseAction class that looks in > the current HttpSession for a role associated with the user (maybe this > is part of the "User" object) that matches the role required for the > current request (or you can go as fine-grained as you want, with many > different permissions to check for a single request) to be granted. > > All your Action classes extend the BaseAction class. They can invoke the > checkLogin and/or the checkPermission methods at the beginning of the > execute method to decide whether/how to proceed. > > Write a LoginAction class that sets the "User" action, along with > permissions, roles, etc., whatever else is needed in your checkLogin and > checkPermission methods, in the session after login has succeeded (you > have taken the entered username and password and matched them > successfully against a username and password combination in your > database -- typically in a USERS table). > > Write a Logout Action that invalidates the current session. > > Alternatively, you could check the login and the permissions the same > way, but in a sublass of the Struts RequestProcessor, or in a Servlet > Filter, instead of in a BaseAction class. > > If you want to go with container-managed security and you can use > Tomcat, try this (you should probably read it anyway). > > http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html > > I also suggest you read the security section of the J2EE tutorial, and > the security sections of the JSP and Servlet specifications. > > If you go with container-managed security, it's real easy to allow/deny > entire JSPs, but you still may need to implement finer-grained > permissions checks on your own if you need to, for example, show/hide > links on a page based on permissions. > > Erik > > Leandro Melo wrote: > > >Erik, > >i don't quite understand what you call a hand-rolled > >java component (maybe because of my english). > >Anyway, it seems to me that you're not using JAAS to > >completely control application's security, are u? > >I don't know if it possible, but if so, would you post > >your setup and basic classes? > >I'm very very new at security stuff... > >Anyway, i cleared out a lot of things for me. > > > >Thanks, > >Leandro. > > > > > > --- Erik Weber <[EMAIL PROTECTED]> escreveu: > > > > > >>I don't really consider myself an expert here, but I > >>dare say that there > >>are a lot of webapps deployed out there using > >>programmatic (hand-rolled) > >>security successfully. I have used the approach with > >>success. What > >>exactly the advantages are to using > >>container-managed security I am not > >>able to fully deduce (except for the obvious -- it's > >>nice to declare > >>stuff in web.xml in a standardized way -- and that > >>perhaps it might make > >>Servlets a *little* more portable if you wanted to > >>use them among > >>different apps). But then again, I haven't had to > >>take on a project yet > >>where the environment was extremely complicated, > >>when it came to how > >>users and permissions were managed (typically I see > >>the same tried and > >>trusted setup -- USER, GROUP, ROLES and PERMISSIONS > >>tables in some > >>central database, and some hand-rolled Java > >>component, used to authorize > >>the current request, that is invoked in some > >>"common" area, such as a > >>Servlet Filter -- or, in Struts, a base Action class > >>or a custom > >>RequestProcessor). It seems like JAAS is still at an > >>immature stage > >>perhaps, or at least the state of documenation about > >>it is. > >> > >>The other route it seems you could go is to use a > >>container-managed > >>login as you suggest, and enjoy using the methods > >>such as > >>request.isUserInRole instead of invoking security > >>methods on a > >>hand-rolled component, but I think you will have to > >>give up the > >>JBoss/Tomcat stack to do this for now (someone > >>please correct me if I am > >>wrong), because I think there is a security > >>integration problem there, > >>as I described earlier. I'm guessing Tomcat as stand > >>alone might be a > >>good way to go though. I have not done this and > >>couldn't say whether it > >>is "common and usual". > >> > >>I have tried to write my role-checking methods so > >>that in the future if > >>I port an application to JAAS I can just refactor > >>them to invoke the > >>standard methods instead of my own. But like I say, > >>I'm far from an > >>expert in this area. > >> > >>Hope that helps, > >> > >>Erik > >> > >>Leandro Melo wrote: > >> > >> > >> > >>>So Erik, is it a common and usual aproach to do > >>> > >>> > >>login > >> > >> > >>>outside of Struts (ordinary jsps), and then use > >>> > >>> > >>Struts > >> > >> > >>>afterwards??? > >>> > >>> > >>>--- Erik Weber <[EMAIL PROTECTED]> > >>> > >>> > >>escreveu: > >> > >> > >>> > >>> > >>> > >>> > >>>>Leandro, search the archives of this List for > >>>>"JAAS". I participated in > >>>>a thread about this within the last two months. > >>>> > >>>>I'm not sure if I understand exactly what you want > >>>>to do, but if you > >>>>want to use container-managed security, I don't > >>>> > >>>> > >>know > >> > >> > >>>>of a way to have > >>>>your login screen be part of Struts. As far as I > >>>>know, you have to let > >>>>the container process the request that results > >>>> > >>>> > >>from > >> > >> > >>>>the login screen's > >>>>form submittal (I tried having an Action intercept > >>>>this request and then > >>>>attempt to login with the JBoss JAAS module > >>>> > >>>> > >>manually > >> > >> > >>>>but gave up when I > >>>>realized problem # 2 -- below). > >>>> > >>>>Another problem you are probably going to run into > >>>>is that the JBoss > >>>>security context is not propagated to Tomcat, and > >>>>vice versa, as far as > >>>>I know. So if you authenticate using JBoss JAAS, > >>>>Tomcat won't know about > >>>>it, and the methods such as request.isUserInRole > >>>>aren't going to do you > >>>>any good (although you would presumably be able to > >>>>use the similar > >>>>methods on EJBs, because they are running within > >>>> > >>>> > >>the > >> > >> > >>>>JBoss security > >>>>context). > >>>> > >>>>I found JAAS to be a nightmare, though a couple > >>>>people gave me possible > >>>>solutions to the problems I mentioned in the > >>>> > >>>> > >>thread > >> > >> > >>>>(one would be > >>>>intercepting the login screen request and then > >>>>manually logging in with > >>>>both JBoss JAAS as well as Tomcat JAAS modules -- > >>>>but I don't know if > >>>>this has been done). I presume it's a much easier > >>>>endeavor if you are > >>>>just using Tomcat stand alone, but I'll let Craig > >>>>address that if he > >>>>wants, because I've never tried it. > >>>> > >>>>Erik > >>>> > >>>> > >>>>Leandro Melo wrote: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>>Or i just extend the DatabaseServerLoginModule > >>>>> > >>>>> > >>>>> > >>>>> > >>>>class > >>>> > >>>> > >>>> > >>>> > >>>>>and leave an empty class???? > >>>>> > >>>>> > >>>>> > >>>>>--- Leandro Melo <[EMAIL PROTECTED]> > >>>>>escreveu: > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>Just complementing my question... > >>>>>> > >>>>>>Would it be fair if i copy JBoss' > >>>>>>DatabaseServerLoginModule code and place it > >>>>>> > >>>>>> > >>inside > >> > >> > >>>>>>an > >>>>>>Action??? > >>>>>> > >>>>>>This way, i'll have an Action (for example, > >>>>>>MyLoginAction) that does exactly what > >>>>>>DatabaseServerLoginModule does. > >>>>>> > >>>>>> > >>>>>> > >>>>>>--- Leandro Melo <[EMAIL PROTECTED]> > >>>>>>escreveu: > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>Please help me out here! > >>>>>>>I'm very new with jaas, so i need some help. > >>>>>>> > >>>>>>>I got a simple login that is working fine for > >>>>>>> > >>>>>>> > >>me, > >> > >> > >>>>>>>here > >>>>>>>it is: > >>>>>>> > >>>>>>>... > >>>>>>><FORM action='<%= > >>>>>>>response.encodeURL("j_security_check")%>' > >>>>>>> method="get"> > >>>>>>> <!-- esses nomes tem q ser assim -> >>>>>>>j_username >>>>>>>--> > >>>>>>> NOME:<INPUT type="text" name="j_username" > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>/> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>> > >>>>>>> <!-- tem q ser j_password --> > >>>>>>> SENHA: <INPUT type="password" > >>>>>>>name="j_password" > >>>>>>>/> > >>>>>>> <INPUT type="submit" value="Login" /> > >>>>>>> > >>>>>>> > >=== message truncated === > > > > > > > > > > > >_______________________________________________________ > >Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade! > >http://br.acesso.yahoo.com/ > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > _____________________________________________________________________________ > Scanned for SoftLanding Systems, Inc. by IBM Email Security > Management Services powered by MessageLabs. > _____________________________________________________________________________ _____________________________________________________________________________ Scanned for SoftLanding Systems, Inc. by IBM Email Security Management Services powered by MessageLabs. _____________________________________________________________________________ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
