Now I get it completely (I'm still getting up to speed on a lot of this). Thanks!
-----Original Message----- From: Gary VanMatre [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 07, 2006 1:26 PM To: Struts Users Mailing List Subject: RE: [OT] RE: Shale & Container Managed Security >From: "James Reynolds" <[EMAIL PROTECTED]> > > >If you are using J2EE container managed security, why not use the > standard > >declarative security constraint on a url-pattern? You then assign > roles > >to the constraint and to groups and/or users. > > > >Gary > > Thanks Gary, > > Maybe I'm misunderstanding Craig's response (below). Perhaps he is > referring to page-by-page control, while you are referring to a url > pattern that encompasses all contents of a folder (/members_only/*). > Is that the subtle difference here? > Oh, right. I guess you would also have to use "redirects" instead of "forwards" for navigation since the forwards are trusted. <navigation-case> <from-outcome>viewSalary</from-outcome> <to-view-id>/secured/viewSalary.faces</to-view-id> <redirect/> </navigation-case> You could also add programmatic checks in your "action" methods to return outcomes based on security. Gary > > > Shale's filters do indeed intercept whatever requests it is mapped to, > > > but there are two important things to understand with respect to > > container managed security: > > > > * Container managed security is applied *before* any filters > > (including the one that Shale provides). > > > > * Container managed security is applied *only* on the > > initial request, not on RequestDispatcher.forward() calls. > > In JSF (and therefore Shale) apps, that means you can > > protect the incoming form submits (they will be mapped > > to something like "/editCustomer.jsf" if you are using > > extension mapping, and the page being submitted was > > "/editCustomer.jsp"). > > > > The second issue means that it is your application's responsibility to > > > decide whether or not the user should be allowed to navigate to a > > particular page. Container managed security won't help you there. That > > > being said, it might be interesting for Shale to deliver a custom JSF > > navigation handler that would optionally impose that sort of control > > ("only a manager can navigate to the salary details page"). > > > > Craig > > > > -----Original Message----- > > > From: James Reynolds [mailto:[EMAIL PROTECTED] > > > Sent: Friday, March 03, 2006 3:02 PM > > > To: Struts Users Mailing List > > > Subject: Shale & Container Managed Security > > > > > > > > > I'm a newbie setting up container managed security for a basic > > > Shale-blank application. For my first attempt, I'm trying a simple > > > BASIC authentication but I'm having troubles so I'm trying to rule > out > > > > > the unknowns. > > > > > > My question for this list is, does Shale have an impact on > traditional > > > > > Container Managed Security Methods? > > > > > > Thanks > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]