struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wild_oscar <>
Subject JAAS and S2 - how do they interact?
Date Fri, 24 Aug 2007 10:29:28 GMT

Following up on my quest for Authentication and Authorization in web apps, I
found out two approaches with JAAS.

The first one is described here: 

and it basically involves defining a JAASRealm in Tomcat and putting it in
server.xml, defining a webpage for login and configuring all in the web.xml
file: defining <security-constraint>, <login-config> and <security-role>.

What I think is the second alternative involves defining interceptors, such
as the Login Interceptor Mark Mernards describes on his blog (
Mark's post on Login interceptors ) and/or filters, such as a ServletFilter
that wraps the HttpServletRequest with a class that implements the
isUserInRole method, as described by Josh Vickery on this mailing list (
Josh's input .

Being completely lost on the subject, my questions are: 

1) are the two incompatible? 
2) Having achieved authentication with a JAAS module successfully, what is
the best way to achieve authorization now, using Struts2? Not having written
the application yet, I am figuring I'll need both business authorization (in
actions, for example) and view authorization (tags rendered or hidden based
on user's role).

After authentication, the subject is stored on the httpSession like this:
			HttpSession session = request.getSession();
    			session.setAttribute("subject_key", lc.getSubject());

Thank you very much for all the input!

View this message in context:
Sent from the Struts - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message