struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wild_oscar <mig...@almeida.at>
Subject Re: Authentication and Authorization in S2
Date Thu, 23 Aug 2007 14:15:25 GMT

How about AA with Struts2 only?

I'm trying to understand Authorization with JAAS, but I'm not being very
successeful. Authentication is taken care of, I use JAAS and a PostgreSQL
database to store users, passwords and roles.

In the end of authentication, I store the subject in the HttpSession:

HttpSession session = httprequest.getSession();
session.setAttribute("subject_key", lc.getSubject());

Bare in mind I first tried this in Struts; this week I switched to Struts2.
Can anyone shed some light on the authorization part of the process with
Struts2? Namely:

a) Does one ever need to configure web.xml with security details and roles,
for declarative security based on wildcards?

or
b) Is security only achieved at the action level?

c) How does one build JSP pages that have parts protected (say, a
form/button only available to certain roles)?

Thank you for your help!

Miguel, lost in Authorization



Alvaro Sanchez-Mariscal wrote:
> 
> I agree. You should first try Acegi.
> 
> If your auth needs are very specific, you can always develop a custom
> interceptor.
> 
> Alvaro.
> 
> On 8/20/07, Zarar Siddiqi <zarars@gmail.com> wrote:
>> If you're using Spring, it's probably a great idea to use Acegi
>> Security to handle authentication/authorization.  I can't think of
>> anything it can't do.
>>
>> http://www.acegisecurity.org/
>>
>> There's also Berkano which doesn't do nearly as much as Acegi but can
>> handle most general AA problems:
>>
>> http://berkano.codehaus.org/
>>
>> Zarar
>>
>>
>> On 8/20/07, Roberto Nunnari <roberto.nunnari@supsi.ch> wrote:
>> > Hi all.
>> >
>> > I need to implement Authentication and Authorization in
>> > a S2 web application, and before reinventing the wheel, I'd
>> > like to ask the list for hints and advice.
>> >
>> > 1) Is there built-in support in Struts2 for Authentication and
>> > Authorization?
>> >
>> > 2) What are the best practices for AA in S2?
>> >
>> > 3) Is JAAS be a practical way in S2?
>> >
>> > More details:
>> > - The application lets the users dynamically register as members
>> > - In the application, the members can be part of one of two or three
>> > groups (roles)
>> > - unauthenticated users can only view some global data
>> > - authenticated users can change some of their own data
>> > - authenticated users can view some of other members data
>> > - the authenticated users can add global content
>> > - authenticated users in more privileged roles can change some global
>> data
>> > - authenticated users in the admin role, can do anything
>> >
>> > Thank you.
>> >
>> > --
>> > Robi
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> > For additional commands, e-mail: user-help@struts.apache.org
>> >
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
> 
> 
> -- 
> Alvaro Sanchez-Mariscal Arnaiz
> Java EE Architect & Instructor
> alvaro.sanchezmariscal@gmail.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Authentication-and-Authorization-in-S2-tf4300234.html#a12294512
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message