incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith" <andrew.r.jaqu...@gmail.com>
Subject Re: Relevant Stripes patch
Date Fri, 19 Dec 2008 21:16:16 GMT
RACF?!? Most impressive...
Glad the hint helped. :)

On Fri, Dec 19, 2008 at 4:13 PM, Harry Metske <harry.metske@gmail.com>wrote:

> Andrew,
>
> I forgot to follow up on this, sorry.
> I implemented a Stripes interceptor (based on the sample provided on the
> Stripes website).
> Works like a charm, together with a Jaas login module (authentication
> against RACF) and a basic login.jsp the problem is now solved elegantly.
>
> thanks for the hint.
>
> regards,
> Harry
>
> 2008/11/27 Harry Metske <harry.metske@gmail.com>
>
> > yes I have read about that but wasn't sure if it would help me.
> > the important point thing you say here is "forward the user as needed to
> a
> > login or "unauthorized" page if the role check fails" with the emphasis
> on
> > login page.
> > So if I understand it correctly, users that don't have an account should
> > still be able to use the "Read functions" that way.
> >
> > I'll have a look at it and see if I can make it work, thanks for the help
> !
> >
> > regards,
> > Harry
> >
> > 2008/11/27 Andrew Jaquith <andrew.jaquith@me.com>
> >
> > I am not sure if this will be possible, but it seems to me that you
> should
> >> not have to use multiple URLs for the scenario you described.
> >>
> >> For role-based access to particular ActionBean methods, I recommend
> >> annotating the handler methods (read, edit etc) with annotations that
> denote
> >> the roles that are allowed to execute them. Then, you would provide an
> >> Interceptor implementation that fires after event resolution but before
> >> validation. The Interceptor's job would be to make the authorization
> >> decision and forward the user as needed to a login or "unauthorized"
> page if
> >> the role check fails.
> >>
> >> This is actualy a pretty simple and elegant approach because you don't
> >> need to modify ActionBeans, or use separate URL schemes, to do it. This
> >> Interceptor-based approach is the strategy JSPWiki 3 takes.
> >>
> >> There is a community-developed  SecurityInterceptor floating around on
> the
> >> Stripes site somewhere. You should take a look at that first.
> >>
> >> Regards,
> >>
> >> Andrew
> >>
> >>
> >> On Nov 26, 2008, at 16:01, Harry Metske <harry.metske@gmail.com> wrote:
> >>
> >>  Andrew,
> >>>
> >>> will it then be possible to have more than one URL bound to the same
> >>> ActionBean ?
> >>> I ask because I currently work on a simple Stripes based CRUD
> >>> application,
> >>> and I'm using the same ActionBean for all actions (Create, Read,
> Update,
> >>> Delete).
> >>> I want read to be publicly available, but the others should be J2EE
> >>> protected with a security-constraint.
> >>> So would it be possible to have 2 URLs , like :
> >>> /nonpub/MyActionBean
> >>> /pub/MyActionBean
> >>> Where only the first one is protected.
> >>> Of course, there is some additional security checking required in the
> >>> ActionBean.
> >>>
> >>> regards,
> >>> Harry
> >>>
> >>> 2008/11/26 Andrew Jaquith <andrew.jaquith@me.com>
> >>>
> >>>  FYI --
> >>>>
> >>>> Ben Gunter @ the Stripes project just committed a new enhancement that
> >>>> I'd
> >>>> requested in August, namely the ability to create ActionBean
> URLBindings
> >>>> from arbitrary String patterns. It will ship in 1.5.1.
> >>>>
> >>>> This is excellent news because it makes it possible for third parties
> >>>> (like
> >>>> us) to fairly easily create, for example, URLBinding patterns that are
> >>>> read
> >>>> from text files. This gives us an option for binding URLs to
> ActionBeans
> >>>> other than the default method, which is to get them from class
> >>>> annotations.
> >>>> My intent is to create a FileActionResolver to do this, at a slightly
> >>>> later
> >>>> point in the 3.0 dev cycle.
> >>>>
> >>>> For the Americans on this list -- happy Thanksgiving.
> >>>>
> >>>> Andrew
> >>>>
> >>>>
> >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message