struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alvaro Sanchez-Mariscal" <alvaro.sanchezmaris...@gmail.com>
Subject Re: Authentication and Authorization in S2
Date Thu, 23 Aug 2007 16:22:09 GMT
What do you mean with "100% Struts 2 security"? As far I know, S2 does
not have anything out-of-the-box regarding security.

In my case, I had to manually develop a login action and an
authentication interceptor.

Alvaro.

On 8/23/07, Arnaud Cogoluegnes <acogoluegnes@sqli.com> wrote:
> I'm using 100% Struts 2 security:
>   - centralized store (simple Java class/XML config file) which maps roles
> and actions
>   - interceptor if some user directly types the URL (based on the store)
>   - custom tag for showing/hiding links (based on the store)
>
> This protects only *actions* and not data (i.e. which roles can see which
> rows in the database).
>
>
> -----Message d'origine-----
> De: wild_oscar [mailto:miguel@almeida.at]
> Envoyé: jeudi 23 août 2007 16:15
> À: user@struts.apache.org
> Objet: Re: Authentication and Authorization in S2
>
>
> How about AA with Struts2 only?
>
> I'm trying to understand Authorization with JAAS, but I'm not being very
> successeful. Authentication is taken care of, I use JAAS and a PostgreSQL
> database to store users, passwords and roles.
>
> In the end of authentication, I store the subject in the HttpSession:
>
> HttpSession session = httprequest.getSession();
> session.setAttribute("subject_key", lc.getSubject());
>
> Bare in mind I first tried this in Struts; this week I switched to Struts2.
> Can anyone shed some light on the authorization part of the process with
> Struts2? Namely:
>
> a) Does one ever need to configure web.xml with security details and roles,
> for declarative security based on wildcards?
>
> or
> b) Is security only achieved at the action level?
>
> c) How does one build JSP pages that have parts protected (say, a
> form/button only available to certain roles)?
>
> Thank you for your help!
>
> Miguel, lost in Authorization
>
>
>
> Alvaro Sanchez-Mariscal wrote:
> >
> > I agree. You should first try Acegi.
> >
> > If your auth needs are very specific, you can always develop a custom
> > interceptor.
> >
> > Alvaro.
> >
> > On 8/20/07, Zarar Siddiqi <zarars@gmail.com> wrote:
> >> If you're using Spring, it's probably a great idea to use Acegi
> >> Security to handle authentication/authorization.  I can't think of
> >> anything it can't do.
> >>
> >> http://www.acegisecurity.org/
> >>
> >> There's also Berkano which doesn't do nearly as much as Acegi but can
> >> handle most general AA problems:
> >>
> >> http://berkano.codehaus.org/
> >>
> >> Zarar
> >>
> >>
> >> On 8/20/07, Roberto Nunnari <roberto.nunnari@supsi.ch> wrote:
> >> > Hi all.
> >> >
> >> > I need to implement Authentication and Authorization in
> >> > a S2 web application, and before reinventing the wheel, I'd
> >> > like to ask the list for hints and advice.
> >> >
> >> > 1) Is there built-in support in Struts2 for Authentication and
> >> > Authorization?
> >> >
> >> > 2) What are the best practices for AA in S2?
> >> >
> >> > 3) Is JAAS be a practical way in S2?
> >> >
> >> > More details:
> >> > - The application lets the users dynamically register as members
> >> > - In the application, the members can be part of one of two or three
> >> > groups (roles)
> >> > - unauthenticated users can only view some global data
> >> > - authenticated users can change some of their own data
> >> > - authenticated users can view some of other members data
> >> > - the authenticated users can add global content
> >> > - authenticated users in more privileged roles can change some global
> >> data
> >> > - authenticated users in the admin role, can do anything
> >> >
> >> > Thank you.
> >> >
> >> > --
> >> > Robi
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> > For additional commands, e-mail: user-help@struts.apache.org
> >> >
> >> >
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: user-help@struts.apache.org
> >>
> >>
> >
> >
> > --
> > Alvaro Sanchez-Mariscal Arnaiz
> > Java EE Architect & Instructor
> > alvaro.sanchezmariscal@gmail.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Authentication-and-Authorization-in-S2-tf4300234.html#
> a12294512
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


-- 
Alvaro Sanchez-Mariscal Arnaiz
Java EE Architect & Instructor
alvaro.sanchezmariscal@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message