Mailing-List: contact jspwiki-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: jspwiki-dev@incubator.apache.org
Received-SPF: pass (athena.apache.org: domain of harry.metske@gmail.com
 designates 74.125.46.156 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version
         :content-type:references;
        b=KYwRxdGG/KAz/OiVAyefp0tqbJ5xEODDsvUFgOQOFtArpKEo2S6hUWGqi9cdOZYRe5
         UiIN3nZmbtcEPP402HFR6NXKpMMBN48xIv6QsdigPlUz0J4/1R7psLqOjTsDE7z07xzQ
         PpKb8v8DoP9vOt6Ab+n/5UtK0vtuTITYeb4O0=
Message-ID: <3a6c97f00812191326j77f92bdfg7d6d3f57827eb7e0@mail.gmail.com>
Date: Fri, 19 Dec 2008 22:26:58 +0100
From: "Harry Metske" <harry.metske@gmail.com>
To: jspwiki-dev@incubator.apache.org
Subject: Re: Relevant Stripes patch
In-Reply-To: <b90102160812191316y323031a1nd26609696dc46f06@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_48690_31245469.1229722019045"
References: <474B45A2-7DFE-4D5D-8BAC-A6098AF16964@me.com>
	 <3a6c97f00811262215q552ae68du1f7dd5f5c56f3726@mail.gmail.com>
	 <3a6c97f00812191313r977593bs7afbfc539eceb704@mail.gmail.com>
	 <b90102160812191316y323031a1nd26609696dc46f06@mail.gmail.com>

------=_Part_48690_31245469.1229722019045
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

yes yes I know, it's a niche market :-), by many people called legacy.
My definition of legacy being "something that works" .

 (http://en.wikipedia.org/wiki/RACF)


2008/12/19 Andrew Jaquith <andrew.r.jaquith@gmail.com>

> RACF?!? Most impressive...
> Glad the hint helped. :)
>
> On Fri, Dec 19, 2008 at 4:13 PM, Harry Metske <harry.metske@gmail.com
> >wrote:
>
> > Andrew,
> >
> > I forgot to follow up on this, sorry.
> > I implemented a Stripes interceptor (based on the sample provided on the
> > Stripes website).
> > Works like a charm, together with a Jaas login module (authentication
> > against RACF) and a basic login.jsp the problem is now solved elegantly.
> >
> > thanks for the hint.
> >
> > regards,
> > Harry
> >
> > 2008/11/27 Harry Metske <harry.metske@gmail.com>
> >
> > > yes I have read about that but wasn't sure if it would help me.
> > > the important point thing you say here is "forward the user as needed
> to
> > a
> > > login or "unauthorized" page if the role check fails" with the emphasis
> > on
> > > login page.
> > > So if I understand it correctly, users that don't have an account
> should
> > > still be able to use the "Read functions" that way.
> > >
> > > I'll have a look at it and see if I can make it work, thanks for the
> help
> > !
> > >
> > > regards,
> > > Harry
> > >
> > > 2008/11/27 Andrew Jaquith <andrew.jaquith@me.com>
> > >
> > > I am not sure if this will be possible, but it seems to me that you
> > should
> > >> not have to use multiple URLs for the scenario you described.
> > >>
> > >> For role-based access to particular ActionBean methods, I recommend
> > >> annotating the handler methods (read, edit etc) with annotations that
> > denote
> > >> the roles that are allowed to execute them. Then, you would provide an
> > >> Interceptor implementation that fires after event resolution but
> before
> > >> validation. The Interceptor's job would be to make the authorization
> > >> decision and forward the user as needed to a login or "unauthorized"
> > page if
> > >> the role check fails.
> > >>
> > >> This is actualy a pretty simple and elegant approach because you don't
> > >> need to modify ActionBeans, or use separate URL schemes, to do it.
> This
> > >> Interceptor-based approach is the strategy JSPWiki 3 takes.
> > >>
> > >> There is a community-developed  SecurityInterceptor floating around on
> > the
> > >> Stripes site somewhere. You should take a look at that first.
> > >>
> > >> Regards,
> > >>
> > >> Andrew
> > >>
> > >>
> > >> On Nov 26, 2008, at 16:01, Harry Metske <harry.metske@gmail.com>
> wrote:
> > >>
> > >>  Andrew,
> > >>>
> > >>> will it then be possible to have more than one URL bound to the same
> > >>> ActionBean ?
> > >>> I ask because I currently work on a simple Stripes based CRUD
> > >>> application,
> > >>> and I'm using the same ActionBean for all actions (Create, Read,
> > Update,
> > >>> Delete).
> > >>> I want read to be publicly available, but the others should be J2EE
> > >>> protected with a security-constraint.
> > >>> So would it be possible to have 2 URLs , like :
> > >>> /nonpub/MyActionBean
> > >>> /pub/MyActionBean
> > >>> Where only the first one is protected.
> > >>> Of course, there is some additional security checking required in the
> > >>> ActionBean.
> > >>>
> > >>> regards,
> > >>> Harry
> > >>>
> > >>> 2008/11/26 Andrew Jaquith <andrew.jaquith@me.com>
> > >>>
> > >>>  FYI --
> > >>>>
> > >>>> Ben Gunter @ the Stripes project just committed a new enhancement
> that
> > >>>> I'd
> > >>>> requested in August, namely the ability to create ActionBean
> > URLBindings
> > >>>> from arbitrary String patterns. It will ship in 1.5.1.
> > >>>>
> > >>>> This is excellent news because it makes it possible for third
> parties
> > >>>> (like
> > >>>> us) to fairly easily create, for example, URLBinding patterns that
> are
> > >>>> read
> > >>>> from text files. This gives us an option for binding URLs to
> > ActionBeans
> > >>>> other than the default method, which is to get them from class
> > >>>> annotations.
> > >>>> My intent is to create a FileActionResolver to do this, at a
> slightly
> > >>>> later
> > >>>> point in the 3.0 dev cycle.
> > >>>>
> > >>>> For the Americans on this list -- happy Thanksgiving.
> > >>>>
> > >>>> Andrew
> > >>>>
> > >>>>
> > >>
> > >
> >
>

------=_Part_48690_31245469.1229722019045--