struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Troy Hart <>
Subject Re: Security Best-Practices?
Date Tue, 22 Oct 2002 20:07:54 GMT
You can use the same database for CMA and user profile storage, if your
container supports JAAS authentication. All you need to do is write a
LoginModule (see JAAS docs on sun's site) that accesses the user profile
database. When your LoginModule is accessed to login a user it will need
to create a Subject that contains a single "user" Principal who's name
is the id/name of the user in the database. The type of the "user"
Principal must be consistent with what your container expects in order
to implement the HttpServletRequest method:


Your Subject can also contain multiple "group" principals and other
arbitrary principals. You need to understand the requirements of your
container in this regard, and understand JAAS authorization in general.

My current project is targeted at weblogic 7, so I had to implement one
of their security service provider apis in addition to the LoginModule,
but it works great. When I need to access a user profile object in order
to get an address, or a credit card number, or whatever...I lookup a
user profile for the id returned by:


You obviously need to fill in the gaps here. I have only provided a high
level view of the solution. For example, I haven't mentioned anything
about what you would use to "lookup a user profile". You would NOT use
your LoginModule for this purpose. In my solution my LoginModule uses a
UserProfileStore object that abstracts access to a store of user profile
information. I use this same UserProfileStore from a struts action when
I need to associate a UserProfile object with an HttpSession.

I think this is a pretty clean solution. Hopefully I will have given you
some helpful information.

Good Luck,


On Tue, 2002-10-22 at 12:14, Adam Sherman wrote:
> Taylor, Jason wrote:
> > Search the mail archive for container-managed authentication (CMA).  There
> > was a lot of discussion on the subject a week or two ago.  Craig McClanahan
> > has posted some good rants on the subject...
> Good reading, thanks.
> I'm thinking that I will have to implement an application-specific user 
> database, and create a new entry in it for every new authenticated user 
> that comes down from the container. Kinda hackish, but I don't see 
> another way.
> That, or use SecurityFilter (, 
> then move to CMA if I have to.
> Thanks,
> A.
> -- 
> Adam Sherman
> Software Developer
> Teach and Travel Inc.
> +1.613.241.3103
> --
> To unsubscribe, e-mail:   <>
> For additional commands, e-mail: <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message