struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Tarkenton <>
Subject RE: RBAC - Role Based Access Control Model in Struts
Date Fri, 09 May 2003 15:18:23 GMT
I was thinking along the same lines as you were.  I could easily create my own security model
without it being tightly coupled to the struts framework.  I don't like the idea of editing
the struts framework...I wouldn't mind extending it (which I obviously can do myself).   I
am trying to be forward thinking here and really see Hobbs' solution as practical right now,
but a headache in the future.  Seeing as how Struts 1.1 will be released soon I don't want
to have to remodify the code at that point if I chose to upgrade to 1.1.  No disrespect to
Nic at all -- I found his solution to be decent.  It seemed to me that all of my user data
would be stored in the "Nic version" of struts-config.xml file if I went with his solution.
 I would really like to keep that user related data in my DB. Thanks for your reply.  I will
look into JAAS and Jakarta Realms. -Dan
Navjot Singh <> wrote:IMO, You should keep your security model
out of the struts purview. You may
want to read about Jakarta Realms or JAAS etc.

It's not good idea to change the DTD or for that matter even the struts code
straight away. Build on top of it if you wish, but you should not change the
base code. Whenever the new release comes, you are stuck there. Or you
download the source of new release or do the modifications.

Navjot Singh

|-----Original Message-----
|From: Dan Tarkenton []
|Sent: Friday, May 09, 2003 8:24 PM
|Subject: RBAC - Role Based Access Control Model in Struts
|Hello all! I have a web app utilizing struts right now that is
|working great for me. I have to add security to my application,
|and after looking at some Security Design Patterns I have chosen
|the Role Based Access Control (RBAC) pattern. So I wanted to see
|if there was already a RBAC model plug-in or code out there for
|Struts right now. I quickly stumbled across Nic Hobbs
|contribution available at
||security.htm . There
|Nic gives a quick blurb about his approach and includes a link to
|his source. His download consists of:
|config.xml*struts-config_1_0.dtd If you are at all familiar with
|the basics of Struts you will immediately recognize these files.
|So what Nic has done is actually add code to existing Struts
|classes, added 2 new Classes, and edited the struts-config file
|and it's associated DTD. In the past I have just simply included
|the Struts.jar file I downloaded from the jakarta site and simply
|included that in the lib directory of my war file. So I assume if
|I were to use Nic's security model, I would have to download the
|Struts source, replace certain default Struts files with Nic's
|version of those files, compile, and jar the contents. Does this
|approach seem correct? Also, has anyone used Nic Hobbs' RBAC
|Struts Extension? Anyone have any examples? I can't seem to find
|any documentation other than what is stated in the link I
|mentioned above. OR, has anyone approached RBAC in Struts in a
|different manner? I'm open to anything here, and don't really
|want to have to reinvent the wheel. This seems like a common
|enough feature that some people out there have implemented before
|(aside Hobbs). Thanks for your feedback in advance! I appreciate it. -Dan
|Do you Yahoo!?
|The New Yahoo! Search - Faster. Easier. Bingo.

To unsubscribe, e-mail:
For additional commands, e-mail:

Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message