struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Graham" <dgraham1...@hotmail.com>
Subject RE: Security and Struts
Date Tue, 30 Jul 2002 22:03:22 GMT
I've done it by using a custom tag on all the secured pages that checks the 
login but this isn't ideal.  I could forget to put the tag in and I have to 
do it for every page.

If you let struts do it then you can't let people go to .jsp pages directly 
and I find this irritating at best.

Should you only use struts for the webforms and not for public display 
pages?  I've always been a bit confused by this.  It seems that struts was 
designed for the forms stuff but not necessarily to sit in front of your 
whole app.

Thanks,
Dave

>I tend to think the action is the wrong place for this sort of thing. I
>could be wrong but that's just how it occurs to me. It seems that this
>should either be handled in front of your web application (using
>cma/filters) or by the front controller components in the struts
>framework (NOTE: requests that do not map to the controller servlet,
>like requests directly to a jsp page, will not invoke your request
>processing logic).
>
>Struts also helps you along here. It provides a way for you to
>*declare*, along with each action mapping (in struts-config.xml), a
>specific set of roles that have access to the given action. Then, the
>RequestProcessor defines the method processRoles() that you are free to
>override, but by default it will invoke:
>
>request.isUserInRole(someRole)
>
>for each role declared in the action mapping. If the user is found to be
>included in any of the roles then processRoles() returns true, otherwise
>it returns false. True is also returned in the case where no roles are
>declared on the action mapping. Check out the struts source for more
>detail...
>
>Unless you use the cma/filters approach (and I haven't, so I don't know
>what the issues are there), there will still be some details for you to
>work out with respect to getting an authenticated user into the session.
>This could be handled in a number of different ways. One that occurs to
>me, off the top of my head, would be to wire a login page into the page
>that is forwarded when processRoles() returns false...
>
>There may be some mis-truths in what I have said here, I am currently
>working through some of this stuff, but in general I think the idea is
>sound. Certainly having declarative security is something that you
>should strive for...
>
>If anyone has feedback on what I've said here, I would love to hear it!
>
>Thanks & Good Luck,
>
>Troy
>
>
>On Tue, 2002-07-30 at 12:59, Nelson, Tracy (ETW) wrote:
> > I'd have each form check authorization.  That way, if someone bookmarks 
>a
> > page (or guesses its URL) they won't bypass your security scheme.  You 
>could
> > have a global exception set up in your configuration file that forwards 
>to
> > an "Access denied" page whenever one of your forms threw a 
>UserNotAuthorized
> > exception.  (NOTE: I am just learning Struts and haven't even written my
> > first application using it yet.  I may not know what I am talking 
>about.)
> >
> > Cheers!
> > -- Tracy
> >
> > -----Original Message-----
> > From: Ryan Cuprak [mailto:cuprakr@earthlink.net]
> > Sent: Tuesday, July 30, 2002 11:53
> > To: struts-user@jakarta.apache.org
> > Subject: Security and Struts
> >
> >
> >
> > Hello,
> >  I was hoping someone would have some advice on securing a website using
> > struts. I am developing a webapp that has to be secure (password 
>protected)
> > and which restricts access to different parts of the site depending on 
>the
> > roles a user possesses. The roles each user has are stored as XML in a
> > database and may be configured by an administrator. Does struts have any
> > built-in security capabilities that I could take advantage of?
> >
> >
> >  Any help/pointers would be much appreciated!
> >
> >  My first guess would be to put all jsp pages in WEB-INF (use only
> > ForwardAction to get to each page) and subclass ActionServlet with the 
>logic
> > for check authentication etc. However, will this cause any problems when 
>it
> > comes to a user book marking a page?
> >
> > Thanks,
> > -Ryan Cuprak
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:struts-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:struts-user-help@jakarta.apache.org>
> >
> >
> >
> > --
> > To unsubscribe, e-mail:   
><mailto:struts-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: 
><mailto:struts-user-help@jakarta.apache.org>
> >
>
>
>
>--
>To unsubscribe, e-mail:   
><mailto:struts-user-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: 
><mailto:struts-user-help@jakarta.apache.org>




_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message