RBAC - Role Based Access Control Model in Struts

[Dan Tarkenton <ta...@yahoo.com>]

Hello all!  I have a web app utilizing struts right now that is working great for me.  I have to add security to my application, and after looking at some Security Design Patterns I have chosen the Role Based Access Control (RBAC) pattern.   So I wanted to see if there was already a RBAC model plug-in or code out there for Struts right now.  I quickly stumbled across Nic Hobbs contribution available at http://husted.com/struts/resources/struts-security.htm .  There Nic gives a quick blurb about his approach and includes a link to his source.  His download consists of: *ActionMapping.java*ActionMappings.java*ActionResources.java*ActionSecurity.java*ActionSecurityFactory.java*ActionServlet.java*struts-config.xml*struts-config_1_0.dtd If you are at all familiar with the basics of Struts you will immediately recognize these files.  So what Nic has done is actually add code to existing Struts classes, added 2 new Classes, and edited the struts-config file and it's associated DTD. In the past I have just simply included the Struts.jar file I downloaded from the jakarta site and simply included that in the lib directory of my war file.  So I assume if I were to use Nic's security model, I would have to download the Struts source, replace certain default Struts files with Nic's version of those files, compile, and jar the contents. Does this approach seem correct?   Also, has anyone used Nic Hobbs' RBAC Struts Extension?  Anyone have any examples?  I can't seem to find any documentation other than what is stated in the link I mentioned above. OR, has anyone approached RBAC in Struts in a different manner?  I'm open to anything here, and don't really want to have to reinvent the wheel.  This seems like a common enough feature that some people out there have implemented before (aside Hobbs). Thanks for your feedback in advance!  I appreciate it. -Dan

---------------------------------
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.

RE: RBAC - Role Based Access Control Model in Struts

[Dan Tarkenton <ta...@yahoo.com>]

I was thinking along the same lines as you were.  I could easily create my own security model without it being tightly coupled to the struts framework.  I don't like the idea of editing the struts framework...I wouldn't mind extending it (which I obviously can do myself).   I am trying to be forward thinking here and really see Hobbs' solution as practical right now, but a headache in the future.  Seeing as how Struts 1.1 will be released soon I don't want to have to remodify the code at that point if I chose to upgrade to 1.1.  No disrespect to Nic at all -- I found his solution to be decent.  It seemed to me that all of my user data would be stored in the "Nic version" of struts-config.xml file if I went with his solution.  I would really like to keep that user related data in my DB. Thanks for your reply.  I will look into JAAS and Jakarta Realms. -Dan
Navjot Singh <na...@net4india.net> wrote:IMO, You should keep your security model out of the struts purview. You may
want to read about Jakarta Realms or JAAS etc.

It's not good idea to change the DTD or for that matter even the struts code
straight away. Build on top of it if you wish, but you should not change the
base code. Whenever the new release comes, you are stuck there. Or you
download the source of new release or do the modifications.

regards
Navjot Singh


|-----Original Message-----
|From: Dan Tarkenton [mailto:tark_struts@yahoo.com]
|Sent: Friday, May 09, 2003 8:24 PM
|To: struts-user@jakarta.apache.org
|Subject: RBAC - Role Based Access Control Model in Struts
|
|
|Hello all! I have a web app utilizing struts right now that is
|working great for me. I have to add security to my application,
|and after looking at some Security Design Patterns I have chosen
|the Role Based Access Control (RBAC) pattern. So I wanted to see
|if there was already a RBAC model plug-in or code out there for
|Struts right now. I quickly stumbled across Nic Hobbs
|contribution available at
|http://husted.com/struts/resources/struts-|security.htm . There
|Nic gives a quick blurb about his approach and includes a link to
|his source. His download consists of:
|*ActionMapping.java*ActionMappings.java*ActionResources.java*Action
|Security.java*ActionSecurityFactory.java*ActionServlet.java*struts-
|config.xml*struts-config_1_0.dtd If you are at all familiar with
|the basics of Struts you will immediately recognize these files.
|So what Nic has done is actually add code to existing Struts
|classes, added 2 new Classes, and edited the struts-config file
|and it's associated DTD. In the past I have just simply included
|the Struts.jar file I downloaded from the jakarta site and simply
|included that in the lib directory of my war file. So I assume if
|I were to use Nic's security model, I would have to download the
|Struts source, replace certain default Struts files with Nic's
|version of those files, compile, and jar the contents. Does this
|approach seem correct? Also, has anyone used Nic Hobbs' RBAC
|Struts Extension? Anyone have any examples? I can't seem to find
|any documentation other than what is stated in the link I
|mentioned above. OR, has anyone approached RBAC in Struts in a
|different manner? I'm open to anything here, and don't really
|want to have to reinvent the wheel. This seems like a common
|enough feature that some people out there have implemented before
|(aside Hobbs). Thanks for your feedback in advance! I appreciate it. -Dan
|
|---------------------------------
|Do you Yahoo!?
|The New Yahoo! Search - Faster. Easier. Bingo.


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


---------------------------------
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.

RE: RBAC - Role Based Access Control Model in Struts

[Navjot Singh <na...@net4india.net>]

IMO, You should keep your security model out of the struts purview. You may
want to read about Jakarta Realms or JAAS etc.

It's not good idea to change the DTD or for that matter even the struts code
straight away. Build on top of it if you wish, but you should not change the
base code. Whenever the new release comes, you are stuck there. Or you
download the source of new release or do the modifications.

regards
Navjot Singh


|-----Original Message-----
|From: Dan Tarkenton [mailto:tark_struts@yahoo.com]
|Sent: Friday, May 09, 2003 8:24 PM
|To: struts-user@jakarta.apache.org
|Subject: RBAC - Role Based Access Control Model in Struts
|
|
|Hello all!  I have a web app utilizing struts right now that is
|working great for me.  I have to add security to my application,
|and after looking at some Security Design Patterns I have chosen
|the Role Based Access Control (RBAC) pattern.   So I wanted to see
|if there was already a RBAC model plug-in or code out there for
|Struts right now.  I quickly stumbled across Nic Hobbs
|contribution available at
|http://husted.com/struts/resources/struts-|security.htm .  There
|Nic gives a quick blurb about his approach and includes a link to
|his source.  His download consists of:
|*ActionMapping.java*ActionMappings.java*ActionResources.java*Action
|Security.java*ActionSecurityFactory.java*ActionServlet.java*struts-
|config.xml*struts-config_1_0.dtd If you are at all familiar with
|the basics of Struts you will immediately recognize these files.
|So what Nic has done is actually add code to existing Struts
|classes, added 2 new Classes, and edited the struts-config file
|and it's associated DTD. In the past I have just simply included
|the Struts.jar file I downloaded from the jakarta site and simply
|included that in the lib directory of my war file.  So I assume if
|I were to use Nic's security model, I would have to download the
|Struts source, replace certain default Struts files with Nic's
|version of those files, compile, and jar the contents. Does this
|approach seem correct?   Also, has anyone used Nic Hobbs' RBAC
|Struts Extension?  Anyone have any examples?  I can't seem to find
|any documentation other than what is stated in the link I
|mentioned above. OR, has anyone approached RBAC in Struts in a
|different manner?  I'm open to anything here, and don't really
|want to have to reinvent the wheel.  This seems like a common
|enough feature that some people out there have implemented before
|(aside Hobbs). Thanks for your feedback in advance!  I appreciate it. -Dan
|
|---------------------------------
|Do you Yahoo!?
|The New Yahoo! Search - Faster. Easier. Bingo.


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org