You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Patrick Scheuerer <ta...@hispeed.ch> on 2003/12/29 00:37:05 UTC
Design question regarding struts security features
Hello everybody,
I'm in the process of developing my first Struts application, so forgive
me if this question is insulting everybody's intellect.
The application I'm working on is a support portal where you can
download technical document, drivers etc. The tricky part is, that
certain documents should be only accessible to users with a certain role.
My idea so far is to put a user object in the session and to evaluate
the role (and therefore the access level) of the user for all views that
are displaying data which might be restricted.
I guess the easiest way would be using a jsp tag like
<security:checkAccessLevel /> which would retrieve the user object from
the session (if it exists) and the then filter the data accordingly. Is
there such "security taglib" around?
Has anybody worked on a similar scenario? What is the best approach to
solve this problem? Is there a best practice for it? Any tips, hints,
code snippets are welcome.
Thank you very much.
Patrick
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Design question regarding struts security features
Posted by Robert Taylor <rt...@mulework.com>.
You should be able to do this with standard J2EE security provided
by your web container.
If you store your user credentials in a database, then you may want
to look at SecurityFilter:
http://sourceforge.net/projects/securityfilter/
It allows you to leverage standard J2EE security features but provides
more flexible authentication.
robert
> -----Original Message-----
> From: Patrick Scheuerer [mailto:tabalooga@hispeed.ch]
> Sent: Sunday, December 28, 2003 6:37 PM
> To: Struts Users List
> Subject: Design question regarding struts security features
>
>
> Hello everybody,
>
> I'm in the process of developing my first Struts application, so forgive
> me if this question is insulting everybody's intellect.
>
> The application I'm working on is a support portal where you can
> download technical document, drivers etc. The tricky part is, that
> certain documents should be only accessible to users with a certain role.
>
> My idea so far is to put a user object in the session and to evaluate
> the role (and therefore the access level) of the user for all views that
> are displaying data which might be restricted.
> I guess the easiest way would be using a jsp tag like
> <security:checkAccessLevel /> which would retrieve the user object from
> the session (if it exists) and the then filter the data accordingly. Is
> there such "security taglib" around?
>
> Has anybody worked on a similar scenario? What is the best approach to
> solve this problem? Is there a best practice for it? Any tips, hints,
> code snippets are welcome.
>
> Thank you very much.
>
> Patrick
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Design question regarding struts security features
Posted by Patrick Scheuerer <ta...@hispeed.ch>.
Mohan Radhakrishnan wrote:
> I think you can also use the role attribute in struts-config.xml and
>restrict access actions. Tiles has a role attribute too ? though we are not
>using that.
>
>
I came across the role tag of tiles as well, but I guess it's suitable
only if you want to restrict some area of the user interface (let's say
a special panel for administrators).
Where can I find more information about the role attribute in
struts-config.xml? I couldn't find anything in the Struts User's Guide...
Thanks, Patrick
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Design question regarding struts security features
Posted by Mohan Radhakrishnan <mr...@cellexchange.com>.
Hi
Are you only filtering data based on role ?
If you are talking about role-based access of views then we are doing
something like that
1. You can use Container Manager Authentication and restrict access to
URL patterns to only valid users.
2. You can use the vendor-specify XML file to specify roles and groups.
(e.g) principals.xml in OC4J
3. You can use a vendor-specific API like the 'DataSourceUserManager' in
OC4J to write custom code that can access your tables and do away with
hard-coded principals.xml
I think you can also use the role attribute in struts-config.xml and
restrict access actions. Tiles has a role attribute too ? though we are not
using that.
Mohan
-----Original Message-----
From: Patrick Scheuerer [mailto:tabalooga@hispeed.ch]
Sent: Monday, December 29, 2003 5:07 AM
To: Struts Users List
Subject: Design question regarding struts security features
Hello everybody,
I'm in the process of developing my first Struts application, so forgive
me if this question is insulting everybody's intellect.
The application I'm working on is a support portal where you can
download technical document, drivers etc. The tricky part is, that
certain documents should be only accessible to users with a certain role.
My idea so far is to put a user object in the session and to evaluate
the role (and therefore the access level) of the user for all views that
are displaying data which might be restricted.
I guess the easiest way would be using a jsp tag like
<security:checkAccessLevel /> which would retrieve the user object from
the session (if it exists) and the then filter the data accordingly. Is
there such "security taglib" around?
Has anybody worked on a similar scenario? What is the best approach to
solve this problem? Is there a best practice for it? Any tips, hints,
code snippets are welcome.
Thank you very much.
Patrick
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org