struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Phase Web and Multimedia" <>
Subject RE: Security Solution
Date Mon, 01 Apr 2002 19:50:32 GMT
My previous solution was an extension on the struts action mapping where I
identified roles that people needed to belong to and I set it up as a
property in action config. This worked fine. But, I had to remember to
include two pieces of code in each action class. The other problem was that
when I upgraded to 1.1 it broke my code. Extending action classes is nice.
But, it can cause a headache later when you have to change all of your code.
The other thing was protecting other resources on the system. my action
class did not protect my jsp files and image files. It only protected action
mappings. I found that action based security model was a bit inefficient.

I have not spent any time using EJB. But, I believe that JAAS could tie much
together outside of a web container. That sentence is spoken in a fair
amount of ignorance. I have spent short amount of time looking into JAAS.

The filter is merely an app level component that could be fit into a larger
security environment.

My solution fits a market that has users visiting their site who want to
shop, read bulletin boards, chat or whatever. If someone wants to go to the
shopping section and shops and then does a checkout. I don't want to forward
them to a generic login page and then send them back to where they wanted to
go in the first place. I want to provide contextual login pages.

Container managed security does not supply this easily.

The solution that I put together allow you to use the login in three
distinct ways.

1) you can define several Action mappings to the LoginRedirectAction that
define an "auth" forward to the page you want them to go once they are
logged in. The form would call a particular action mapping.
2) you can call the LoginAction class directly from any page. this returns
you to the page that was logged in from.
3) finally you can redirect to a login page of your choice upon the request
of a protected resource. The protected resource are mapped as
security-constraints. But, you can have several security-constraints and
each one can map to a different login page.

There is error page customization that is possible as well:
1) You can specify an error page in you action mapping as "error"
2) In the security consraint group you can define the error page for that
3) There is a generic error page for direct LoginAction calls

I know this all sounds a bit confusing. But, it would be nice if these
options were available in a mature fashion. I am just trying to expand into
a more flexible solution. I figured putting this on the board would do that.

Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354

-----Original Message-----
From: Marcelo Vanzin []
Sent: Monday, April 01, 2002 12:04 PM
To: Struts Users Mailing List
Subject: Re: Security Solution

Phase Web and Multimedia wrote:
> I wanted to offer some code if anyone is interested. I have seen many
> discuss security on archives and wanted to offer an alternative to
> managed security.

	Nice you came up with this problem again, since I remember reading
something about it in the archives, but did not participate in the
threads. :-)

	We have a situation a little more complicated here: we need our users to
be propagated to a remote server where we access some session EJBs. From
what I understood from the specs, for this we *need* to use container
managed security, so that the user Principal is propagated to the
sessionContext when we create the remote objects.

	(BTW, I haven't tested this, so I do not know if it really works. We are
using Tomcat talking remotely to a Weblogic server. Has someone worked
with this?)

	So, I guess that anything outside container managed security is out of
the question for us. What I did is a little ugly, but is working fine:

	- Since not all actions are going to be protected, I extended the
ActionMapping class to have two more attributes: one that says if the
mapping needs the user to be logged in, and another identifying which
permission the user needs (this one is optional and based on the way
Weblogic implemented security, which is a little more complex than the
basic user/role thing defined by the servlet spec; anyway, it's not
relevant here).

	- I have a base Action class where I check if the user is logged in, in
case the current mapping needs a login. This is done in the perform
method, before anything else is executed.

	- If the user is not logged in, I send a redirect to a "login" forward.
The path to this login forward has protected access (declared in the
web.xml file).

	- Once the user logs in, the action executed by the "login" forward
redirects the user to the page he wanted to go in the first place. This
path is stored in the user's session (and is removed after the login is

	It's been working rather nicely with the simple cases I tested. I'm
working on creating a custom reaml for Tomcat where I'll be able to
access our remote user database.

	The problem is that I'm extending the framework a bit (the "needLogin"
part of the ActionMapping). I've seen people suggesting that something
similar was incorporated into the framework, and I think that'd be a
nice addition.

Marcelo Vanzin
Touch Tecnologia
"Life is too short to drink cheap beer"

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message