struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcelo Vanzin <>
Subject Re: Security Solution
Date Mon, 01 Apr 2002 19:03:56 GMT
Phase Web and Multimedia wrote:
> I wanted to offer some code if anyone is interested. I have seen many
> discuss security on archives and wanted to offer an alternative to container
> managed security.

	Nice you came up with this problem again, since I remember reading 
something about it in the archives, but did not participate in the 
threads. :-)

	We have a situation a little more complicated here: we need our users to 
be propagated to a remote server where we access some session EJBs. From 
what I understood from the specs, for this we *need* to use container 
managed security, so that the user Principal is propagated to the 
sessionContext when we create the remote objects.

	(BTW, I haven't tested this, so I do not know if it really works. We are 
using Tomcat talking remotely to a Weblogic server. Has someone worked 
with this?)

	So, I guess that anything outside container managed security is out of 
the question for us. What I did is a little ugly, but is working fine:

	- Since not all actions are going to be protected, I extended the 
ActionMapping class to have two more attributes: one that says if the 
mapping needs the user to be logged in, and another identifying which 
permission the user needs (this one is optional and based on the way 
Weblogic implemented security, which is a little more complex than the 
basic user/role thing defined by the servlet spec; anyway, it's not 
relevant here).

	- I have a base Action class where I check if the user is logged in, in 
case the current mapping needs a login. This is done in the perform 
method, before anything else is executed.

	- If the user is not logged in, I send a redirect to a "login" forward. 
The path to this login forward has protected access (declared in the 
web.xml file).

	- Once the user logs in, the action executed by the "login" forward 
redirects the user to the page he wanted to go in the first place. This 
path is stored in the user's session (and is removed after the login is 

	It's been working rather nicely with the simple cases I tested. I'm 
working on creating a custom reaml for Tomcat where I'll be able to 
access our remote user database.

	The problem is that I'm extending the framework a bit (the "needLogin" 
part of the ActionMapping). I've seen people suggesting that something 
similar was incorporated into the framework, and I think that'd be a 
nice addition.

Marcelo Vanzin
Touch Tecnologia
"Life is too short to drink cheap beer"

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message