struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Reynolds" <James.Reyno...@intermountainmail.org>
Subject RE: [OT] RE: Shale & Container Managed Security
Date Tue, 07 Mar 2006 20:36:31 GMT

Now I get it completely (I'm still getting up to speed on a lot of
this).  Thanks!


-----Original Message-----
From: Gary VanMatre [mailto:gvanmatre@comcast.net] 
Sent: Tuesday, March 07, 2006 1:26 PM
To: Struts Users Mailing List
Subject: RE: [OT] RE: Shale & Container Managed Security

>From: "James Reynolds" <James.Reynolds@intermountainmail.org>
>
> >If you are using J2EE container managed security, why not use the
> standard
> >declarative security constraint on a url-pattern? You then assign
> roles
> >to the constraint and to groups and/or users. 
> > 
> >Gary
> 
> Thanks Gary,
> 
> Maybe I'm misunderstanding Craig's response (below). Perhaps he is 
> referring to page-by-page control, while you are referring to a url 
> pattern that encompasses all contents of a folder (/members_only/*). 
> Is that the subtle difference here?
> 

Oh, right.  I guess you would also have to use "redirects" instead of
"forwards" for
navigation since the forwards are trusted.

    <navigation-case>
      <from-outcome>viewSalary</from-outcome>
      <to-view-id>/secured/viewSalary.faces</to-view-id>
      <redirect/>
    </navigation-case>

You could also add programmatic checks in your "action" 
methods to return outcomes based on security.


Gary

> 
> > Shale's filters do indeed intercept whatever requests it is mapped
to, 
> 
> > but there are two important things to understand with respect to 
> > container managed security: 
> > 
> > * Container managed security is applied *before* any filters 
> > (including the one that Shale provides). 
> > 
> > * Container managed security is applied *only* on the 
> > initial request, not on RequestDispatcher.forward() calls. 
> > In JSF (and therefore Shale) apps, that means you can 
> > protect the incoming form submits (they will be mapped 
> > to something like "/editCustomer.jsf" if you are using 
> > extension mapping, and the page being submitted was 
> > "/editCustomer.jsp"). 
> > 
> > The second issue means that it is your application's responsibility
to 
> 
> > decide whether or not the user should be allowed to navigate to a 
> > particular page. Container managed security won't help you there.
That 
> 
> > being said, it might be interesting for Shale to deliver a custom
JSF 
> > navigation handler that would optionally impose that sort of control

> > ("only a manager can navigate to the salary details page"). 
> > 
> > Craig 
> > 
> > -----Original Message----- 
> > > From: James Reynolds [mailto:James.Reynolds@intermountainmail.org]

> > > Sent: Friday, March 03, 2006 3:02 PM 
> > > To: Struts Users Mailing List 
> > > Subject: Shale & Container Managed Security 
> > > 
> > > 
> > > I'm a newbie setting up container managed security for a basic 
> > > Shale-blank application. For my first attempt, I'm trying a simple

> > > BASIC authentication but I'm having troubles so I'm trying to rule

> out 
> > 
> > > the unknowns. 
> > > 
> > > My question for this list is, does Shale have an impact on 
> traditional 
> > 
> > > Container Managed Security Methods? 
> > > 
> > > Thanks 
> > > 
> > > 
> > > 
> --------------------------------------------------------------------- 
> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org 
> > > For additional commands, e-mail: user-help@struts.apache.org 
> > > 
> > > 
> > > 
> > > 
> --------------------------------------------------------------------- 
> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org 
> > > For additional commands, e-mail: user-help@struts.apache.org 
> > > 
> > > 
> > 
> > 
> >
--------------------------------------------------------------------- 
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org 
> > For additional commands, e-mail: user-help@struts.apache.org 
> > 
> 
> 
> --------------------------------------------------------------------- 
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org 
> For additional commands, e-mail: user-help@struts.apache.org 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message