struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yanni Tan" <>
Subject RE: about security
Date Mon, 14 Jul 2008 13:25:31 GMT

I am new to the web development, but I like the concept of this answer.  Could you explain
more about how to setup/configure the interceptor? i.e. How to hook up your interceptor method
with the server?  Thanks!

-----Original Message-----
From: Struts Two []
Sent: Friday, July 11, 2008 9:32 AM
To: Struts Users Mailing List
Subject: Re: about security

Here are my thoughts [based on my experience with Websphere but I hope they can be generalized):
1- Using session for users's authentication is not a very good idea esp if there is a chance
that they may have multiple browser or tabs open at the sametime. there is a great chance
of session mix-ups. However; if you are , for some reason or another, pressed to use http
session, make sure that you use url rewriting instead of cookies for session tracking[ Websphere
also allows a thrid way to use ssl ids for this purpose if you use ssl]. To do so you do not
need to change your code, you need to change container settings.
2- Applying security using JASS or realm is a web-container setting not struts 2. You need
to do two things:
    a) Enable the security of your container (server) to use a registery for authentication
(LDAP,OS,...). Note that some servers like websphere allow you to extend its capability
        to use a custome registery (say database for this purpose)
    b) Change your web.xml and application.xml (add security constraints and roles and ...).
Once it is done. It does not matter u use struts 2 or struts 1 or anyother framework. At logging
(first access) users get chanllenged.
In my case, to avoid using session for authentication, I am using an interceptor to retrieve
user role and other information on each request. Note that once a user is logged in (assuming
you use single signon),  users' credentials (login name) are cached by the server and at each
request you can retrieve it using request.getRemoteUser(). So you can rid of session by paying
a very slight overhead of retriving all necessary information at each request using an interceptor.

----- Original Message ----
From: hns <>
Sent: Friday, July 11, 2008 8:17:54 AM
Subject: about security

i have successfully converted and deployed struts 2.0.11 application to
but still have some security questions because i have less knowledge of jaas
,realm or role based security

i have done authentication using query fire in database for user name and
password when user authenticated
i have stored his user name and user id and user type
(admin,executive,branch head) in session

1. users  can login from diff node or diff explorer n with same user name
,how to solve it

2. how can i apply realm or jaas in struts 2.0.11

please help me ,i am waiting for favorable reply

View this message in context:
Sent from the Struts - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

Get the name you've always wanted or today! Go to

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message