You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by James Reynolds <Ja...@intermountainmail.org> on 2006/03/07 19:00:08 UTC

[OT] RE: Shale & Container Managed Security

Thank you Craig, that's very helpful to understand.

There are two things I was hoping to accomplish with Container Managed
Security.

1. Ensuring that a user is logged in before serving up protected pages.
I believe this is handled easily by using a Servlet Filter to check for
a required session object (like username), similar to the example
provided by Kito Mann in JSF in Action.

2. Protecting certain parts of the site based on a user's role.  This is
where I'm having difficulty.  Among Shale/JSF programmers, is there a
popular/best practice for implementing this requirement?  

Any advice would be appreciated.


-----Original Message-----
From: craigmcc@gmail.com [mailto:craigmcc@gmail.com] On Behalf Of Craig
McClanahan
Sent: Friday, March 03, 2006 4:52 PM
To: Struts Users Mailing List
Subject: Re: Shale & Container Managed Security

On 3/3/06, James Reynolds <Ja...@intermountainmail.org> wrote:
>
> Allow me to refine my question. I'm wondering if the Shale filter is 
> intercepting requests to the container.  Do I need to adjust the 
> filter mapping?  Is there an FM somewhere that I should R?


Shale's filters do indeed intercept whatever requests it is mapped to,
but there are two important things to understand with respect to
container managed security:

* Container managed security is applied *before* any filters
  (including the one that Shale provides).

* Container managed security is applied *only* on the
  initial request, not on RequestDispatcher.forward() calls.
  In JSF (and therefore Shale) apps, that means you can
  protect the incoming form submits (they will be mapped
  to something like "/editCustomer.jsf" if you are using
  extension mapping, and the page being submitted was
  "/editCustomer.jsp").

The second issue means that it is your application's responsibility to
decide whether or not the user should be allowed to navigate to a
particular page.  Container managed security won't help you there.  That
being said, it might be interesting for Shale to deliver a custom JSF
navigation handler that would optionally impose that sort of control
("only a manager can navigate to the salary details page").

Craig

-----Original Message-----
> From: James Reynolds [mailto:James.Reynolds@intermountainmail.org]
> Sent: Friday, March 03, 2006 3:02 PM
> To: Struts Users Mailing List
> Subject: Shale & Container Managed Security
>
>
> I'm a newbie setting up container managed security for a basic 
> Shale-blank application.  For my first attempt, I'm trying a simple 
> BASIC authentication but I'm having troubles so I'm trying to rule out

> the unknowns.
>
> My question for this list is, does Shale have an impact on traditional

> Container Managed Security Methods?
>
> Thanks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org