>From: "James Reynolds" <[EMAIL PROTECTED]> > > Thank you Craig, that's very helpful to understand. > > There are two things I was hoping to accomplish with Container Managed > Security. > > 1. Ensuring that a user is logged in before serving up protected pages. > I believe this is handled easily by using a Servlet Filter to check for > a required session object (like username), similar to the example > provided by Kito Mann in JSF in Action. > > 2. Protecting certain parts of the site based on a user's role. This is > where I'm having difficulty. Among Shale/JSF programmers, is there a > popular/best practice for implementing this requirement? >
If you are using J2EE container managed security, why not use the standard declarative security constraint on a url-pattern? You then assign roles to the constraint and to groups and/or users. Gary > Any advice would be appreciated. > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig > McClanahan > Sent: Friday, March 03, 2006 4:52 PM > To: Struts Users Mailing List > Subject: Re: Shale & Container Managed Security > > On 3/3/06, James Reynolds wrote: > > > > Allow me to refine my question. I'm wondering if the Shale filter is > > intercepting requests to the container. Do I need to adjust the > > filter mapping? Is there an FM somewhere that I should R? > > > Shale's filters do indeed intercept whatever requests it is mapped to, > but there are two important things to understand with respect to > container managed security: > > * Container managed security is applied *before* any filters > (including the one that Shale provides). > > * Container managed security is applied *only* on the > initial request, not on RequestDispatcher.forward() calls. > In JSF (and therefore Shale) apps, that means you can > protect the incoming form submits (they will be mapped > to something like "/editCustomer.jsf" if you are using > extension mapping, and the page being submitted was > "/editCustomer.jsp"). > > The second issue means that it is your application's responsibility to > decide whether or not the user should be allowed to navigate to a > particular page. Container managed security won't help you there. That > being said, it might be interesting for Shale to deliver a custom JSF > navigation handler that would optionally impose that sort of control > ("only a manager can navigate to the salary details page"). > > Craig > > -----Original Message----- > > From: James Reynolds [mailto:[EMAIL PROTECTED] > > Sent: Friday, March 03, 2006 3:02 PM > > To: Struts Users Mailing List > > Subject: Shale & Container Managed Security > > > > > > I'm a newbie setting up container managed security for a basic > > Shale-blank application. For my first attempt, I'm trying a simple > > BASIC authentication but I'm having troubles so I'm trying to rule out > > > the unknowns. > > > > My question for this list is, does Shale have an impact on traditional > > > Container Managed Security Methods? > > > > Thanks > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] >