You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by David Erickson <de...@cmcflex.com> on 2003/07/08 17:46:01 UTC
Best place for security checks in Struts?
Hi I am setting up my webapp for security, had a big thread about it last
week, we've implemented filters to handle all the static filters sitting
around, but would also like to put some security into the struts actions
themselves. I'm trying to figure out where the best place to implement the
checks would be, if I need to extend the class that actually calls the
actions, or if I should extend the base action and insert checks, or what
the best thing to do would be. Somehow each of the actions needs to have a
name assigned to it to check against as well, and the information will be
pulled from a user bean stored in the session variable.
Thanks in advance!
-David
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Best place for security checks in Struts?
Posted by David Erickson <de...@cmcflex.com>.
Where can I find this diagram of the flow through struts? I'd love to check
it out =)
----- Original Message -----
From: "Sandeep Takhar" <sa...@yahoo.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Tuesday, July 08, 2003 9:47 AM
Subject: Re: Best place for security checks in Struts?
> There must be a diagram that shows all the calls
> before
> it actually hits execute() method. There are quite a
> few.
>
> If you have a base action you can override one of them
>
> processRoles seems to be a logical place...
>
> sandeep
> --- David Erickson <de...@cmcflex.com> wrote:
> > Hi I am setting up my webapp for security, had a big
> > thread about it last
> > week, we've implemented filters to handle all the
> > static filters sitting
> > around, but would also like to put some security
> > into the struts actions
> > themselves. I'm trying to figure out where the best
> > place to implement the
> > checks would be, if I need to extend the class that
> > actually calls the
> > actions, or if I should extend the base action and
> > insert checks, or what
> > the best thing to do would be. Somehow each of the
> > actions needs to have a
> > name assigned to it to check against as well, and
> > the information will be
> > pulled from a user bean stored in the session
> > variable.
> >
> > Thanks in advance!
> > -David
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Best place for security checks in Struts?
Posted by Jing Zhou <ji...@netspread.com>.
----- Original Message -----
From: "Sandeep Takhar" <sa...@yahoo.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Tuesday, July 08, 2003 10:47 AM
Subject: Re: Best place for security checks in Struts?
> There must be a diagram that shows all the calls
> before
> it actually hits execute() method. There are quite a
> few.
>
> If you have a base action you can override one of them
>
> processRoles seems to be a logical place...
Overriding the request processor is my favored place.
You could extend action mapping to have additional
security parameters and in your extended request
processor you check if users are allowed to execute
the corresponding action when the roles are not sufficient.
>
> sandeep
> --- David Erickson <de...@cmcflex.com> wrote:
> > Hi I am setting up my webapp for security, had a big
> > thread about it last
> > week, we've implemented filters to handle all the
> > static filters sitting
> > around, but would also like to put some security
> > into the struts actions
> > themselves. I'm trying to figure out where the best
> > place to implement the
> > checks would be, if I need to extend the class that
> > actually calls the
> > actions, or if I should extend the base action and
> > insert checks, or what
> > the best thing to do would be. Somehow each of the
> > actions needs to have a
> > name assigned to it to check against as well, and
> > the information will be
> > pulled from a user bean stored in the session
> > variable.
> >
> > Thanks in advance!
> > -David
> >
> >
Jing
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Best place for security checks in Struts?
Posted by Sloan Seaman <sl...@sgi.net>.
You could have a class that is an Action (say, named SecureAction) and then
have all of the actions in the struts file extend SecureAction and implement
a method called executeSecure() (not execute()!)
What then happens is your action in the Strust config (say, named ShowUser)
gets called by Struts but since it extends SecureAction, Struts calls
SecureAction's execute(). It then checks security and if it's good it calls
executeSecure() which is the method that ShowUser overwrote.
If the security doesn't pass, then SecureAction never calls executeSecure...
and there ya go.
You can then define the security on a per action basis by making your own
ActionMappping object and doing something like:
<set-property property="ROLE" value="ADMIN"/>
That is how I did it for a while and it worked great...
--
Sloan
----- Original Message -----
From: "Sandeep Takhar" <sa...@yahoo.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Tuesday, July 08, 2003 2:44 PM
Subject: Re: Best place for security checks in Struts?
> This is the requestProcessor.
>
> Sorry for that. I am busy doing work and then I
> answer a question...
>
> The way I think of it is that there is a
> requestProcessor for each struts-config. (You declare
> it here). So if you have multiple modules, you could
> theoretically have a different processor for each one.
>
> sandeep
> --- David Erickson <de...@cmcflex.com> wrote:
> > And which class is the procesRoles method in?
> >
> > ----- Original Message -----
> > From: "Sandeep Takhar" <sa...@yahoo.com>
> > To: "Struts Users Mailing List"
> > <st...@jakarta.apache.org>
> > Sent: Tuesday, July 08, 2003 9:47 AM
> > Subject: Re: Best place for security checks in
> > Struts?
> >
> >
> > > There must be a diagram that shows all the calls
> > > before
> > > it actually hits execute() method. There are
> > quite a
> > > few.
> > >
> > > If you have a base action you can override one of
> > them
> > >
> > > processRoles seems to be a logical place...
> > >
> > > sandeep
> > > --- David Erickson <de...@cmcflex.com> wrote:
> > > > Hi I am setting up my webapp for security, had a
> > big
> > > > thread about it last
> > > > week, we've implemented filters to handle all
> > the
> > > > static filters sitting
> > > > around, but would also like to put some security
> > > > into the struts actions
> > > > themselves. I'm trying to figure out where the
> > best
> > > > place to implement the
> > > > checks would be, if I need to extend the class
> > that
> > > > actually calls the
> > > > actions, or if I should extend the base action
> > and
> > > > insert checks, or what
> > > > the best thing to do would be. Somehow each of
> > the
> > > > actions needs to have a
> > > > name assigned to it to check against as well,
> > and
> > > > the information will be
> > > > pulled from a user bean stored in the session
> > > > variable.
> > > >
> > > > Thanks in advance!
> > > > -David
> > > >
> > > >
> > > >
> > >
> >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail:
> > > > struts-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail:
> > > > struts-user-help@jakarta.apache.org
> > > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > SBC Yahoo! DSL - Now only $29.95 per month!
> > > http://sbc.yahoo.com
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> > >
> > >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Best place for security checks in Struts?
Posted by Sandeep Takhar <sa...@yahoo.com>.
This is the requestProcessor.
Sorry for that. I am busy doing work and then I
answer a question...
The way I think of it is that there is a
requestProcessor for each struts-config. (You declare
it here). So if you have multiple modules, you could
theoretically have a different processor for each one.
sandeep
--- David Erickson <de...@cmcflex.com> wrote:
> And which class is the procesRoles method in?
>
> ----- Original Message -----
> From: "Sandeep Takhar" <sa...@yahoo.com>
> To: "Struts Users Mailing List"
> <st...@jakarta.apache.org>
> Sent: Tuesday, July 08, 2003 9:47 AM
> Subject: Re: Best place for security checks in
> Struts?
>
>
> > There must be a diagram that shows all the calls
> > before
> > it actually hits execute() method. There are
> quite a
> > few.
> >
> > If you have a base action you can override one of
> them
> >
> > processRoles seems to be a logical place...
> >
> > sandeep
> > --- David Erickson <de...@cmcflex.com> wrote:
> > > Hi I am setting up my webapp for security, had a
> big
> > > thread about it last
> > > week, we've implemented filters to handle all
> the
> > > static filters sitting
> > > around, but would also like to put some security
> > > into the struts actions
> > > themselves. I'm trying to figure out where the
> best
> > > place to implement the
> > > checks would be, if I need to extend the class
> that
> > > actually calls the
> > > actions, or if I should extend the base action
> and
> > > insert checks, or what
> > > the best thing to do would be. Somehow each of
> the
> > > actions needs to have a
> > > name assigned to it to check against as well,
> and
> > > the information will be
> > > pulled from a user bean stored in the session
> > > variable.
> > >
> > > Thanks in advance!
> > > -David
> > >
> > >
> > >
> >
>
---------------------------------------------------------------------
> > > To unsubscribe, e-mail:
> > > struts-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail:
> > > struts-user-help@jakarta.apache.org
> > >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > SBC Yahoo! DSL - Now only $29.95 per month!
> > http://sbc.yahoo.com
> >
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
> >
> >
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Best place for security checks in Struts?
Posted by David Erickson <de...@cmcflex.com>.
And which class is the procesRoles method in?
----- Original Message -----
From: "Sandeep Takhar" <sa...@yahoo.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Tuesday, July 08, 2003 9:47 AM
Subject: Re: Best place for security checks in Struts?
> There must be a diagram that shows all the calls
> before
> it actually hits execute() method. There are quite a
> few.
>
> If you have a base action you can override one of them
>
> processRoles seems to be a logical place...
>
> sandeep
> --- David Erickson <de...@cmcflex.com> wrote:
> > Hi I am setting up my webapp for security, had a big
> > thread about it last
> > week, we've implemented filters to handle all the
> > static filters sitting
> > around, but would also like to put some security
> > into the struts actions
> > themselves. I'm trying to figure out where the best
> > place to implement the
> > checks would be, if I need to extend the class that
> > actually calls the
> > actions, or if I should extend the base action and
> > insert checks, or what
> > the best thing to do would be. Somehow each of the
> > actions needs to have a
> > name assigned to it to check against as well, and
> > the information will be
> > pulled from a user bean stored in the session
> > variable.
> >
> > Thanks in advance!
> > -David
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Best place for security checks in Struts?
Posted by Sandeep Takhar <sa...@yahoo.com>.
There must be a diagram that shows all the calls
before
it actually hits execute() method. There are quite a
few.
If you have a base action you can override one of them
processRoles seems to be a logical place...
sandeep
--- David Erickson <de...@cmcflex.com> wrote:
> Hi I am setting up my webapp for security, had a big
> thread about it last
> week, we've implemented filters to handle all the
> static filters sitting
> around, but would also like to put some security
> into the struts actions
> themselves. I'm trying to figure out where the best
> place to implement the
> checks would be, if I need to extend the class that
> actually calls the
> actions, or if I should extend the base action and
> insert checks, or what
> the best thing to do would be. Somehow each of the
> actions needs to have a
> name assigned to it to check against as well, and
> the information will be
> pulled from a user bean stored in the session
> variable.
>
> Thanks in advance!
> -David
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org