struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: Security in Struts
Date Mon, 30 May 2005 13:48:07 GMT
Hey, I'm not working! I'm avoiding doing some DIY!!! :)

Sorry for you though. I guess someone always has to work.

Actually I love CMA, but what put me off a while ago was when I realised 
that CMA requires an implementation on the browser side that requires 
the user to stay in SSL after HTTPS authentication - I wanted to encrypt 
the password and then switch back out of SSL again to HTTP. CMA won't 
let you do that. You lose access to the user & roles objects.

Hope you get a break soon.

Adam


On 30/05/05 13:03&nbsp;Martin Gainty wrote:
> Adam
> I would take a look at finer grained security available thru 
> security-constraints and web-resource-collection
> identifying the HTTP Method access capability for a specific role
> http://developers.sun.com/prodtech/appserver/reference/techart/access_control.html 
> 
> (If its any consolation you're not the only one that does NOT get today 
> off as a paid holiday)
> Martin-
> 
> ----- Original Message ----- From: "Eddie Bush" <eabush@swbell.net>
> To: "Struts Users Mailing List" <user@struts.apache.org>
> Sent: Monday, May 30, 2005 2:10 AM
> Subject: Re: Security in Struts
> 
> 
>> Adam,
>>
>> Nothing put me off CMA :-)  I think it's fantastic, if it fits your 
>> ticket. Unfortunately, in the environment I currently build apps for, 
>> CMA is not feasible.  Sometimes you get your druthers - sometimes you 
>> look at the standard and decide how you can have your druthers, even 
>> if others are busily trying to snatch them from your grasp!
>>
>> Ah - you're talking about my touting this as the "best approach", I 
>> bet. Well, I'd rather use CMA where it's available, so I suppose I 
>> misrepresented myself a tad.  I like the approach I represented better 
>> than what I've seen others in my shop take.  Essentially, instead of 
>> taking advantage of things that exist in the Servlet spec, they take 
>> it upon themselves to create their own proprietary way of doing things 
>> ... and it varies by application!  I'm working on them ... only been 
>> there a year - can't change everyone overnight ;-)
>>
>> Happy Memorial Day Everyone! :-D ... back to work Tuesday :-( ... 
>> vacation coming soon though! :-D
>>
>> Later :-)
>>
>> Eddie
>>
>> ----- Original Message ----- From: "Adam Hardy" 
>> <ahardy.struts@cyberspaceroad.com>
>> To: "Struts Users Mailing List" <user@struts.apache.org>
>> Sent: Sunday, May 29, 2005 6:32 PM
>> Subject: Re: Security in Struts
>>
>>
>>> Eddie,
>>> what put you off CMA?
>>>
>>> if you don't mind me asking.
>>> Adam
>>
>>
>>
>>
>> ---
>> avast! Antivirus: Outbound message clean.
>> Virus Database (VPS): 0521-5, 05/29/2005
>> Tested on: 5/30/2005 1:10:55 AM
>> avast! - copyright (c) 2000-2004 ALWIL Software.
>> http://www.avast.com
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message