struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: Securing Struts - Which is my best option
Date Fri, 13 Feb 2004 10:40:50 GMT
Joanne,
struts can be used to implement security easily using the 'roles=' 
attribute on the action mappings in your struts-config. This allows you 
to specify which roles can access an action or not. This depends on use 
of container-managed security, but I think that the SecurityFilter 
plugin is able to emulate that. I don't have any experience with 
SecurityFilter.

You can also use ssl-ext (or sslext?) to map your action urls to http or 
https.

Container-managed security takes away alot of the development work too 
of course. Specifying in the web.xml which URLs should be protected is 
about all you need to do, along with setting up the login realm.

HTH
Adam

On 02/12/2004 01:36 PM Joanne L Corless wrote:
> Hi,
> 
> I know this topic has been discussed before but I've looked at all the
> previous posts and can't find anything to answer my problem
> 
> I have a struts app that is designed to use a database user with very
> limited rights pre-login and then post login it is designed to use the
> users own view.
> 
> I want to secure the app so that any erroneous requests are directed
> straight to the login page - I've looked at the Sourceforge SecurityFilter
> and it fits about 75% of my requirements. The main problem is that both pre
> and post login there are lots of environment variables to set up for
> presentation etc.
> 
> Currently (in the unsecured app) the flow works as such
> 
> index.jsp -forwards->
>              /initialise.do  -loads default settings->
>                          .login_layout_tiles  -on submit -> /loginaction.do
> (if successful login) -loads user specific settings-> .user_layout_tile
> 
> This works fine but is obviously not secure - How basically do I combine
> struts and the security filter so that I can get the best of both worlds
> 
> I'm happy with the SecurityFilter implementation - I've got a basic version
> working with my backend db its adding in struts thats causing the head ache
> at the moment
> 
> Regards
> Joanne Corless
> 
> CSC Computer Sciences Limited
> (   Office +44 (0)1772 318025
> ( Mobile +44 (0)7767 656588
> * email jcorless@csc.com
> 
> 
> Based at: CSC, Alliance House, Library Road, Chorley, Lancs, PR6 7EN
> CSC Computer Sciences Limited: Registered in England, No. 963578.
> Registered office: Royal Pavilion, Wellesley Road, Aldershot, Hampshire,
> GU11 1PZ.
> 
> 
> ----------------------------------------------------------------------------------------
> 
> This is a PRIVATE message. If you are not the intended recipient, please
> delete without copying and kindly advise us by e-mail of the mistake in
> delivery. NOTE: Regardless of content, this e-mail shall not operate to
> bind CSC to any order or other contract unless pursuant to explicit written
> agreement or government initiative expressly permitting the use of e-mail
> for such purpose.
> ----------------------------------------------------------------------------------------
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
> 
> 


-- 
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message