struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Hamacher <...@qualiads.de>
Subject Re: Best way to secure struts-webapps?
Date Wed, 30 Aug 2006 07:46:51 GMT
Laurie,

thanks for the input. I am aware of the container managed security. But as far 
as I read in the internet, there is no good solution to use container managed 
security together with tiles. So if I wanna have a login-box on every page, 
that redirects dynamically to the same page after login I will have some 
trouble with the container managed solution. Is this not true or did I 
misunderstood anything? 

And another question to the filter-based solution as Leon also recommended: 
Does this also work if I have different tiles for one page and some of them 
are secured and some aren´t? E.g. I have a tile for an adminMenu, which is 
only loaded if I have a user with admin-roles in the session, but which is 
part of a usual public tiles-page? This way the servlet-filter will never 
find it´s pattern, will it? Is there a simple <logic:present>-Tag combined 
with an entry "role" in the action mapping and role-security-check in the 
RequestProcessor enough security to be sure, only admins access these 
actions? Or is there a way to get around these security-checks, which I 
should keep in mind?

Thank you very much

Thomas


Am Dienstag, 29. August 2006 22:01 schrieb Laurie Harper:
> You left container managed security off your list; that's the most
> 'standard' solution, but isn't necessarily the most portable since parts
> are container implementation defined. A filter is probably the most
> flexible alternative if container managed security isn't viable, but it
> really depends on your exact security requirements.
>
> This is a topic that's discussed alot, both here on the Struts lists,
> and in other web development forums, so I'd recommend doing some reading
> to get a feel for the solutions others have used and their tradeoffs.
>
> L.
>
> Thomas Hamacher wrote:
> > Hi everyone,
> >
> > I think I have a very basic question here, but after spending some time
> > with google I haven´t found a real solution to this question: What is the
> > best way to secure a struts webapplication to be sure, that only logged
> > in users are allowed to do some special action and access some special
> > pages?
> >
> > I found 3 possibilities, from what some of them seem to be a solution
> > from older struts versions.
> >
> > - Extend the RequestProcessor and do a programmatic security-check
> > - Use a Filter to do the security check
> > - Extend all Actions from a customized BaseAction, that does the security
> > check.
> >
> > But all of this seems a bit strange to me. As security is a
> > standard-problem in every webapplication and there are a lot of people
> > who thought about solutions (JAAS) I can´t believe, that I have to extend
> > the struts-framework myself to provide some security issues.
> >
> > So what would you recommend if you want to do a real secure application
> > with struts, together with tiles and want to be sure, that no pages or
> > actions are used without permission? And all of this independent, if I
> > use a Tomcat, a Resin or maybe a JBoss as my struts-web-server.
> >
> > Do you have any informations, examples or URL´s who have a real solution
> > to this?
> >
> > THank you very much
> >
> > Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org

-- 
Mit freundlichen Grüßen

Thomas Hamacher

----------------------------- 
Thomas Hamacher
QualiGO GmbH
Bleicherstrasse 20
D-78467 Konstanz
Germany

fon:  +49-(0)7531-89207-0
fax:  +49-(0)7531-89207-13
mail: tha@qualigo.de
www:  www.qualigo.de

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message