Phase Web and Multimedia wrote:
> I wanted to offer some code if anyone is interested. I have seen many
> discuss security on archives and wanted to offer an alternative to container
> managed security.
Nice you came up with this problem again, since I remember reading
something about it in the archives, but did not participate in the
threads. :-)
We have a situation a little more complicated here: we need our users to
be propagated to a remote server where we access some session EJBs. From
what I understood from the specs, for this we *need* to use container
managed security, so that the user Principal is propagated to the
sessionContext when we create the remote objects.
(BTW, I haven't tested this, so I do not know if it really works. We are
using Tomcat talking remotely to a Weblogic server. Has someone worked
with this?)
So, I guess that anything outside container managed security is out of
the question for us. What I did is a little ugly, but is working fine:
- Since not all actions are going to be protected, I extended the
ActionMapping class to have two more attributes: one that says if the
mapping needs the user to be logged in, and another identifying which
permission the user needs (this one is optional and based on the way
Weblogic implemented security, which is a little more complex than the
basic user/role thing defined by the servlet spec; anyway, it's not
relevant here).
- I have a base Action class where I check if the user is logged in, in
case the current mapping needs a login. This is done in the perform
method, before anything else is executed.
- If the user is not logged in, I send a redirect to a "login" forward.
The path to this login forward has protected access (declared in the
web.xml file).
- Once the user logs in, the action executed by the "login" forward
redirects the user to the page he wanted to go in the first place. This
path is stored in the user's session (and is removed after the login is
completed).
It's been working rather nicely with the simple cases I tested. I'm
working on creating a custom reaml for Tomcat where I'll be able to
access our remote user database.
The problem is that I'm extending the framework a bit (the "needLogin"
part of the ActionMapping). I've seen people suggesting that something
similar was incorporated into the framework, and I think that'd be a
nice addition.
--
[]'s
Marcelo Vanzin
Touch Tecnologia
vanza@rededc.com.br
"Life is too short to drink cheap beer"
--
To unsubscribe, e-mail: <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>
|