incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harry Metske" <harry.met...@gmail.com>
Subject Re: Relevant Stripes patch
Date Fri, 19 Dec 2008 21:26:58 GMT
yes yes I know, it's a niche market :-), by many people called legacy.
My definition of legacy being "something that works" .

 (http://en.wikipedia.org/wiki/RACF)



2008/12/19 Andrew Jaquith <andrew.r.jaquith@gmail.com>

> RACF?!? Most impressive...
> Glad the hint helped. :)
>
> On Fri, Dec 19, 2008 at 4:13 PM, Harry Metske <harry.metske@gmail.com
> >wrote:
>
> > Andrew,
> >
> > I forgot to follow up on this, sorry.
> > I implemented a Stripes interceptor (based on the sample provided on the
> > Stripes website).
> > Works like a charm, together with a Jaas login module (authentication
> > against RACF) and a basic login.jsp the problem is now solved elegantly.
> >
> > thanks for the hint.
> >
> > regards,
> > Harry
> >
> > 2008/11/27 Harry Metske <harry.metske@gmail.com>
> >
> > > yes I have read about that but wasn't sure if it would help me.
> > > the important point thing you say here is "forward the user as needed
> to
> > a
> > > login or "unauthorized" page if the role check fails" with the emphasis
> > on
> > > login page.
> > > So if I understand it correctly, users that don't have an account
> should
> > > still be able to use the "Read functions" that way.
> > >
> > > I'll have a look at it and see if I can make it work, thanks for the
> help
> > !
> > >
> > > regards,
> > > Harry
> > >
> > > 2008/11/27 Andrew Jaquith <andrew.jaquith@me.com>
> > >
> > > I am not sure if this will be possible, but it seems to me that you
> > should
> > >> not have to use multiple URLs for the scenario you described.
> > >>
> > >> For role-based access to particular ActionBean methods, I recommend
> > >> annotating the handler methods (read, edit etc) with annotations that
> > denote
> > >> the roles that are allowed to execute them. Then, you would provide an
> > >> Interceptor implementation that fires after event resolution but
> before
> > >> validation. The Interceptor's job would be to make the authorization
> > >> decision and forward the user as needed to a login or "unauthorized"
> > page if
> > >> the role check fails.
> > >>
> > >> This is actualy a pretty simple and elegant approach because you don't
> > >> need to modify ActionBeans, or use separate URL schemes, to do it.
> This
> > >> Interceptor-based approach is the strategy JSPWiki 3 takes.
> > >>
> > >> There is a community-developed  SecurityInterceptor floating around on
> > the
> > >> Stripes site somewhere. You should take a look at that first.
> > >>
> > >> Regards,
> > >>
> > >> Andrew
> > >>
> > >>
> > >> On Nov 26, 2008, at 16:01, Harry Metske <harry.metske@gmail.com>
> wrote:
> > >>
> > >>  Andrew,
> > >>>
> > >>> will it then be possible to have more than one URL bound to the same
> > >>> ActionBean ?
> > >>> I ask because I currently work on a simple Stripes based CRUD
> > >>> application,
> > >>> and I'm using the same ActionBean for all actions (Create, Read,
> > Update,
> > >>> Delete).
> > >>> I want read to be publicly available, but the others should be J2EE
> > >>> protected with a security-constraint.
> > >>> So would it be possible to have 2 URLs , like :
> > >>> /nonpub/MyActionBean
> > >>> /pub/MyActionBean
> > >>> Where only the first one is protected.
> > >>> Of course, there is some additional security checking required in the
> > >>> ActionBean.
> > >>>
> > >>> regards,
> > >>> Harry
> > >>>
> > >>> 2008/11/26 Andrew Jaquith <andrew.jaquith@me.com>
> > >>>
> > >>>  FYI --
> > >>>>
> > >>>> Ben Gunter @ the Stripes project just committed a new enhancement
> that
> > >>>> I'd
> > >>>> requested in August, namely the ability to create ActionBean
> > URLBindings
> > >>>> from arbitrary String patterns. It will ship in 1.5.1.
> > >>>>
> > >>>> This is excellent news because it makes it possible for third
> parties
> > >>>> (like
> > >>>> us) to fairly easily create, for example, URLBinding patterns that
> are
> > >>>> read
> > >>>> from text files. This gives us an option for binding URLs to
> > ActionBeans
> > >>>> other than the default method, which is to get them from class
> > >>>> annotations.
> > >>>> My intent is to create a FileActionResolver to do this, at a
> slightly
> > >>>> later
> > >>>> point in the 3.0 dev cycle.
> > >>>>
> > >>>> For the Americans on this list -- happy Thanksgiving.
> > >>>>
> > >>>> Andrew
> > >>>>
> > >>>>
> > >>
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message