struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Susan Bradeen <Sus...@softlanding.com>
Subject Re: Security - From tradition to struts
Date Thu, 19 Aug 2004 14:16:52 GMT
Excellent explanation, Erik. Consider adding this to the Struts Wiki for 
posterity? Must be a place for it in there somewhere ... 

Erik Weber <erikweber@mindspring.com> wrote on 08/19/2004 08:31:08 AM:

> Sorry, by "hand-rolled" I just mean one that is written specifically for 

> the application (written by you).
> 
> The general idea is something like this:
> 
> Make a BaseAction class.
> 
> Implement a checkLogin method in the BaseAction class that looks in the 
> current request's HttpSession for a "User" object, which you would have 
> placed into the session in your LoginAction.
> Implement a checkPermission method in the BaseAction class that looks in 

> the current HttpSession for a role associated with the user (maybe this 
> is part of the "User" object) that matches the role required for the 
> current request (or you can go as fine-grained as you want, with many 
> different permissions to check for a single request) to be granted.
> 
> All your Action classes extend the BaseAction class. They can invoke the 

> checkLogin and/or the checkPermission methods at the beginning of the 
> execute method to decide whether/how to proceed.
> 
> Write a LoginAction class that sets the "User" action, along with 
> permissions, roles, etc., whatever else is needed in your checkLogin and 

> checkPermission methods, in the session after login has succeeded (you 
> have taken the entered username and password and matched them 
> successfully against a username and password combination in your 
> database -- typically in a USERS table).
> 
> Write a Logout Action that invalidates the current session.
> 
> Alternatively, you could check the login and the permissions the same 
> way, but in a sublass of the Struts RequestProcessor, or in a Servlet 
> Filter, instead of in a BaseAction class.
> 
> If you want to go with container-managed security and you can use 
> Tomcat, try this (you should probably read it anyway).
> 
> http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html
> 
> I also suggest you read the security section of the J2EE tutorial, and 
> the security sections of the JSP and Servlet specifications.
> 
> If you go with container-managed security, it's real easy to allow/deny 
> entire JSPs, but you still may need to implement finer-grained 
> permissions checks on your own if you need to, for example, show/hide 
> links on a page based on permissions.
> 
> Erik
> 
> Leandro Melo wrote:
> 
> >Erik,
> >i don't quite understand what you call a hand-rolled
> >java component (maybe because of my english).
> >Anyway, it seems to me that you're not using JAAS to
> >completely control application's security, are u?
> >I don't know if it possible, but if so, would you post
> >your setup and basic classes?
> >I'm very very new at security stuff...
> >Anyway, i cleared out a lot of things for me.
> >
> >Thanks,
> >Leandro.
> >
> >
> > --- Erik Weber <erikweber@mindspring.com> escreveu: 
> > 
> >
> >>I don't really consider myself an expert here, but I
> >>dare say that there 
> >>are a lot of webapps deployed out there using
> >>programmatic (hand-rolled) 
> >>security successfully. I have used the approach with
> >>success. What 
> >>exactly the advantages are to using
> >>container-managed security I am not 
> >>able to fully deduce (except for the obvious -- it's
> >>nice to declare 
> >>stuff in web.xml in a standardized way -- and that
> >>perhaps it might make 
> >>Servlets a *little* more portable if you wanted to
> >>use them among 
> >>different apps). But then again, I haven't had to
> >>take on a project yet 
> >>where the environment was extremely complicated,
> >>when it came to how 
> >>users and permissions were managed (typically I see
> >>the same tried and 
> >>trusted setup -- USER, GROUP, ROLES and PERMISSIONS
> >>tables in some 
> >>central database, and some hand-rolled Java
> >>component, used to authorize 
> >>the current request, that is invoked in some
> >>"common" area, such as a 
> >>Servlet Filter -- or, in Struts, a base Action class
> >>or a custom 
> >>RequestProcessor). It seems like JAAS is still at an
> >>immature stage 
> >>perhaps, or at least the state of documenation about
> >>it is.
> >>
> >>The other route it seems you could go is to use a
> >>container-managed 
> >>login as you suggest, and enjoy using the methods
> >>such as 
> >>request.isUserInRole instead of invoking security
> >>methods on a 
> >>hand-rolled component, but I think you will have to
> >>give up the 
> >>JBoss/Tomcat stack to do this for now (someone
> >>please correct me if I am 
> >>wrong), because I think there is a security
> >>integration problem there, 
> >>as I described earlier. I'm guessing Tomcat as stand
> >>alone might be a 
> >>good way to go though. I have not done this and
> >>couldn't say whether it 
> >>is "common and usual".
> >>
> >>I have tried to write my role-checking methods so
> >>that in the future if 
> >>I port an application to JAAS I can just refactor
> >>them to invoke the 
> >>standard methods instead of my own. But like I say,
> >>I'm far from an 
> >>expert in this area.
> >>
> >>Hope that helps,
> >>
> >>Erik
> >>
> >>Leandro Melo wrote:
> >>
> >> 
> >>
> >>>So Erik, is it a common and usual aproach to do
> >>> 
> >>>
> >>login
> >> 
> >>
> >>>outside of Struts (ordinary jsps), and then use
> >>> 
> >>>
> >>Struts
> >> 
> >>
> >>>afterwards???
> >>>
> >>>
> >>>--- Erik Weber <erikweber@mindspring.com>
> >>> 
> >>>
> >>escreveu: 
> >> 
> >>
> >>> 
> >>>
> >>> 
> >>>
> >>>>Leandro, search the archives of this List for
> >>>>"JAAS". I participated in 
> >>>>a thread about this within the last two months.
> >>>>
> >>>>I'm not sure if I understand exactly what you want
> >>>>to do, but if you 
> >>>>want to use container-managed security, I don't
> >>>> 
> >>>>
> >>know
> >> 
> >>
> >>>>of a way to have 
> >>>>your login screen be part of Struts. As far as I
> >>>>know, you have to let 
> >>>>the container process the request that results
> >>>> 
> >>>>
> >>from
> >> 
> >>
> >>>>the login screen's 
> >>>>form submittal (I tried having an Action intercept
> >>>>this request and then 
> >>>>attempt to login with the JBoss JAAS module
> >>>> 
> >>>>
> >>manually
> >> 
> >>
> >>>>but gave up when I 
> >>>>realized problem # 2 -- below).
> >>>>
> >>>>Another problem you are probably going to run into
> >>>>is that the JBoss 
> >>>>security context is not propagated to Tomcat, and
> >>>>vice versa, as far as 
> >>>>I know. So if you authenticate using JBoss JAAS,
> >>>>Tomcat won't know about 
> >>>>it, and the methods such as request.isUserInRole
> >>>>aren't going to do you 
> >>>>any good (although you would presumably be able to
> >>>>use the similar 
> >>>>methods on EJBs, because they are running within
> >>>> 
> >>>>
> >>the
> >> 
> >>
> >>>>JBoss security 
> >>>>context).
> >>>>
> >>>>I found JAAS to be a nightmare, though a couple
> >>>>people gave me possible 
> >>>>solutions to the problems I mentioned in the
> >>>> 
> >>>>
> >>thread
> >> 
> >>
> >>>>(one would be 
> >>>>intercepting the login screen request and then
> >>>>manually logging in with 
> >>>>both JBoss JAAS as well as Tomcat JAAS modules --
> >>>>but I don't know if 
> >>>>this has been done). I presume it's a much easier
> >>>>endeavor if you are 
> >>>>just using Tomcat stand alone, but I'll let Craig
> >>>>address that if he 
> >>>>wants, because I've never tried it.
> >>>>
> >>>>Erik
> >>>>
> >>>>
> >>>>Leandro Melo wrote:
> >>>>
> >>>> 
> >>>>
> >>>> 
> >>>>
> >>>>>Or i just extend the DatabaseServerLoginModule
> >>>>> 
> >>>>>
> >>>>> 
> >>>>>
> >>>>class
> >>>> 
> >>>>
> >>>> 
> >>>>
> >>>>>and leave an empty class????
> >>>>>
> >>>>>
> >>>>>
> >>>>>--- Leandro Melo <ltcmelo_java@yahoo.com.br>
> >>>>>escreveu: 
> >>>>>
> >>>>>
> >>>>> 
> >>>>>
> >>>>> 
> >>>>>
> >>>>>>Just complementing my question...
> >>>>>>
> >>>>>>Would it be fair if i copy JBoss'
> >>>>>>DatabaseServerLoginModule code and place it
> >>>>>> 
> >>>>>>
> >>inside
> >> 
> >>
> >>>>>>an
> >>>>>>Action???
> >>>>>>
> >>>>>>This way, i'll have an Action (for example,
> >>>>>>MyLoginAction) that does exactly what
> >>>>>>DatabaseServerLoginModule does.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>--- Leandro Melo <ltcmelo_java@yahoo.com.br>
> >>>>>>escreveu: 
> >>>>>> 
> >>>>>>
> >>>>>> 
> >>>>>>
> >>>>>> 
> >>>>>>
> >>>>>>>Please help me out here!
> >>>>>>>I'm very new with jaas, so i need some help.
> >>>>>>>
> >>>>>>>I got a simple login that is working fine for
> >>>>>>> 
> >>>>>>>
> >>me,
> >> 
> >>
> >>>>>>>here
> >>>>>>>it is:
> >>>>>>>
> >>>>>>>...
> >>>>>>><FORM action='<%=
> >>>>>>>response.encodeURL("j_security_check")%>' 
> >>>>>>>    method="get">
> >>>>>>>    <!-- esses  nomes tem q ser assim ->
>>>>>>>j_username
>>>>>>>-->
> >>>>>>>     NOME:<INPUT type="text" name="j_username"
> >>>>>>> 
> >>>>>>>
> >>>>>>> 
> >>>>>>>
> >>>>>>> 
> >>>>>>>
> >>>>>>/>
> >>>>>> 
> >>>>>>
> >>>>>> 
> >>>>>>
> >>>>>> 
> >>>>>>
> >>>>>>> 
> >>>>>>>     <!-- tem q ser j_password -->
> >>>>>>>     SENHA: <INPUT type="password"
> >>>>>>>name="j_password"
> >>>>>>>/>
> >>>>>>>     <INPUT type="submit" value="Login" />
> >>>>>>> 
> >>>>>>>
> >=== message truncated === 
> >
> >
> > 
> > 
> > 
> >_______________________________________________________
> >Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade! 
> >http://br.acesso.yahoo.com/
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >For additional commands, e-mail: user-help@struts.apache.org
> >
> >
> > 
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> 
_____________________________________________________________________________
> Scanned for SoftLanding Systems, Inc. by IBM Email Security 
> Management Services powered by MessageLabs. 
> 
_____________________________________________________________________________


_____________________________________________________________________________
Scanned for SoftLanding Systems, Inc. by IBM Email Security Management Services powered by
MessageLabs. 
_____________________________________________________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message