You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by James Reynolds <Ja...@intermountainmail.org> on 2006/03/07 19:00:08 UTC
[OT] RE: Shale & Container Managed Security
Thank you Craig, that's very helpful to understand.
There are two things I was hoping to accomplish with Container Managed
Security.
1. Ensuring that a user is logged in before serving up protected pages.
I believe this is handled easily by using a Servlet Filter to check for
a required session object (like username), similar to the example
provided by Kito Mann in JSF in Action.
2. Protecting certain parts of the site based on a user's role. This is
where I'm having difficulty. Among Shale/JSF programmers, is there a
popular/best practice for implementing this requirement?
Any advice would be appreciated.
-----Original Message-----
From: craigmcc@gmail.com [mailto:craigmcc@gmail.com] On Behalf Of Craig
McClanahan
Sent: Friday, March 03, 2006 4:52 PM
To: Struts Users Mailing List
Subject: Re: Shale & Container Managed Security
On 3/3/06, James Reynolds <Ja...@intermountainmail.org> wrote:
>
> Allow me to refine my question. I'm wondering if the Shale filter is
> intercepting requests to the container. Do I need to adjust the
> filter mapping? Is there an FM somewhere that I should R?
Shale's filters do indeed intercept whatever requests it is mapped to,
but there are two important things to understand with respect to
container managed security:
* Container managed security is applied *before* any filters
(including the one that Shale provides).
* Container managed security is applied *only* on the
initial request, not on RequestDispatcher.forward() calls.
In JSF (and therefore Shale) apps, that means you can
protect the incoming form submits (they will be mapped
to something like "/editCustomer.jsf" if you are using
extension mapping, and the page being submitted was
"/editCustomer.jsp").
The second issue means that it is your application's responsibility to
decide whether or not the user should be allowed to navigate to a
particular page. Container managed security won't help you there. That
being said, it might be interesting for Shale to deliver a custom JSF
navigation handler that would optionally impose that sort of control
("only a manager can navigate to the salary details page").
Craig
-----Original Message-----
> From: James Reynolds [mailto:James.Reynolds@intermountainmail.org]
> Sent: Friday, March 03, 2006 3:02 PM
> To: Struts Users Mailing List
> Subject: Shale & Container Managed Security
>
>
> I'm a newbie setting up container managed security for a basic
> Shale-blank application. For my first attempt, I'm trying a simple
> BASIC authentication but I'm having troubles so I'm trying to rule out
> the unknowns.
>
> My question for this list is, does Shale have an impact on traditional
> Container Managed Security Methods?
>
> Thanks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org