You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Adam Lipscombe <ad...@expensys.com> on 2004/06/17 15:02:13 UTC
Specifying JAAS permission on a per-action basis
Folks,
I am using JAAS with the Tagish libraries to authenticate users via a JDBC
lookup. This works.
What I need to do now is to specify permissions on an action-by-action
basis, but I am unclear about how this is achieved...
Dan Moore's excellent tutorial at http://www.mooreds.com/jaas.html shows an
example of setting permissions via a policy configuration file ("Example 8.
Sample JAAS policy file").
I have also read that its possible to specify permission via a "roles"
attribute on the action mapping definition in the struts-config.xml file.
Does anyone know if these approaches to permission setting are complimentary
or mutually exclusive?
Does anyone know which is the best?
I would prefer to set the perms in struts-config if possible, if only to
keep all the config in the same file. An example of setting perms this way
would be great.
TIA - Adam
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Specifying JAAS permission on a per-action basis
Posted by Eric Dahnke <ed...@nyc.yamaha.com>.
> -----Original Message-----
> From: Adam Lipscombe [mailto:adam.lipscombe@expensys.com]
> Sent: Thursday, June 17, 2004 11:02 AM
> To: 'Struts Users Mailing List'
> Subject: RE: Specifying JAAS permission on a per-action basis
>
> Many thanks Eric - its easy when you know how :-)
>
>
> I am interested to know why you chose this approach over the tagish /
> http://www.mooreds.com/jaas.html solution? Did you hit problems ?
>
I found the struts-config roles/controller a cleaner solution not requiring
all the configuration in the JAVA_HOME\jre\lib\security\*. And you also
have to keep a separate list of resources to protect a la:
grant Principal com.tagish.auth.TypedPrincipal "user" {
permission com.xor.auth.perm.URLPermission \
"/struts-example/editRegistration.do";
...
...
...
};
The above isn't bad, but we didn't need that much horsepower, nor do we do
authentication based on jaas, just the authorization part. I hate container
managed (user/jdbc realm based) authentication. IMO that should be used as a
replacement for Apache style htaccess authentication (which is what it is
intended for I believe) and develop application level authentication within
your own code / db.
>
> TIA - Adam
>
>
>
>
> -----Original Message-----
> From: Eric Dahnke [mailto:edahnke@nyc.yamaha.com]
> Sent: 17 June 2004 15:33
> To: 'Struts Users Mailing List'
> Subject: RE: Specifying JAAS permission on a per-action basis
>
>
>
> I just did this, and found it extremely simple. I eventually
> went away from
> the tagish / http://www.mooreds.com/jaas.html solution.
>
> Three steps is all it takes:
>
> -1- add this to your struts-config
>
> <controller
>
> processorClass="com.ourcompany.portal.site.struts.action.Custo
> mRequestProces
> sor"/>
>
> -2- Code
>
> // The Struts Tiles plugin implements its own
> RequestProcessor, so if you
> want // to use your RequestProcessor alongside the Tiles'
> RequestProcessor,
> make // sure your processor extends TilesRequestProcessor instead of
> RequestProcessor public class CustomRequestProcessor extends
> TilesRequestProcessor {
>
> protected boolean processRoles(HttpServletRequest request,
> HttpServletResponse response,
> ActionMapping mapping)
> throws IOException, ServletException {
>
> // Is this action protected by role requirements?
> String roles[] = mapping.getRoleNames();
> if ((roles == null) || (roles.length < 1)) {
> return (true);
> }
>
> // Check the current user against the list of required roles
> HttpSession session = request.getSession();
> User user = (User) session.getAttribute("user");
>
> if (user == null) {
> response.sendRedirect("noSessionAvailable.do");
> return false;
> }
>
> for (int i = 0; i < roles.length; i++) {
> if (user.hasRole(roles[i])) {
> return (true);
> }
> }
>
> response.sendRedirect("errorNotAuthorized.do");
> return (false);
> }
>
> }
>
> -3- add roles attributes to your action elements in struts-config
>
> <action path="/billingInformationEdit"
> type="org.apache.struts.actions.ForwardAction"
> parameter="/pages/billingInformationEdit.jsp"
> roles="registeredUser"
> >
> <set-property property="secure" value="true"/>
> </action>
>
>
> HTH - Eric
>
>
> > -----Original Message-----
> > From: David Friedman [mailto:humble@ix.netcom.com]
> > Sent: Thursday, June 17, 2004 9:15 AM
> > To: Struts Users Mailing List
> > Subject: RE: Specifying JAAS permission on a per-action basis
> >
> > Pow2ACL http://pow2acl.sourceforge.net/index.html
> > might fit your JAAS high-end needs. It also integrates
> > with Struts.
> >
> > Regards,
> > David
> >
> > -----Original Message-----
> > From: Adam Lipscombe [mailto:adam.lipscombe@expensys.com]
> > Sent: Thursday, June 17, 2004 9:02 AM
> > To: 'Struts Users Mailing List'
> > Subject: Specifying JAAS permission on a per-action basis
> >
> >
> > Folks,
> >
> >
> > I am using JAAS with the Tagish libraries to authenticate
> > users via a JDBC
> > lookup. This works.
> >
> >
> > What I need to do now is to specify permissions on an
> action-by-action
> > basis, but I am unclear about how this is achieved...
> >
> > Dan Moore's excellent tutorial at
> > http://www.mooreds.com/jaas.html shows an
> > example of setting permissions via a policy configuration
> > file ("Example 8.
> > Sample JAAS policy file").
> >
> > I have also read that its possible to specify permission
> via a "roles"
> > attribute on the action mapping definition in the struts-config.xml
> > file.
> >
> >
> > Does anyone know if these approaches to permission setting
> > are complimentary
> > or mutually exclusive?
> > Does anyone know which is the best?
> >
> > I would prefer to set the perms in struts-config if possible,
> > if only to
> > keep all the config in the same file. An example of setting
> > perms this way
> > would be great.
> >
> >
> >
> > TIA - Adam
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Specifying JAAS permission on a per-action basis
Posted by Adam Lipscombe <ad...@expensys.com>.
Many thanks Eric - its easy when you know how :-)
I am interested to know why you chose this approach over the tagish /
http://www.mooreds.com/jaas.html solution? Did you hit problems ?
TIA - Adam
-----Original Message-----
From: Eric Dahnke [mailto:edahnke@nyc.yamaha.com]
Sent: 17 June 2004 15:33
To: 'Struts Users Mailing List'
Subject: RE: Specifying JAAS permission on a per-action basis
I just did this, and found it extremely simple. I eventually went away from
the tagish / http://www.mooreds.com/jaas.html solution.
Three steps is all it takes:
-1- add this to your struts-config
<controller
processorClass="com.ourcompany.portal.site.struts.action.CustomRequestProces
sor"/>
-2- Code
// The Struts Tiles plugin implements its own RequestProcessor, so if you
want // to use your RequestProcessor alongside the Tiles' RequestProcessor,
make // sure your processor extends TilesRequestProcessor instead of
RequestProcessor public class CustomRequestProcessor extends
TilesRequestProcessor {
protected boolean processRoles(HttpServletRequest request,
HttpServletResponse response,
ActionMapping mapping)
throws IOException, ServletException {
// Is this action protected by role requirements?
String roles[] = mapping.getRoleNames();
if ((roles == null) || (roles.length < 1)) {
return (true);
}
// Check the current user against the list of required roles
HttpSession session = request.getSession();
User user = (User) session.getAttribute("user");
if (user == null) {
response.sendRedirect("noSessionAvailable.do");
return false;
}
for (int i = 0; i < roles.length; i++) {
if (user.hasRole(roles[i])) {
return (true);
}
}
response.sendRedirect("errorNotAuthorized.do");
return (false);
}
}
-3- add roles attributes to your action elements in struts-config
<action path="/billingInformationEdit"
type="org.apache.struts.actions.ForwardAction"
parameter="/pages/billingInformationEdit.jsp"
roles="registeredUser"
>
<set-property property="secure" value="true"/>
</action>
HTH - Eric
> -----Original Message-----
> From: David Friedman [mailto:humble@ix.netcom.com]
> Sent: Thursday, June 17, 2004 9:15 AM
> To: Struts Users Mailing List
> Subject: RE: Specifying JAAS permission on a per-action basis
>
> Pow2ACL http://pow2acl.sourceforge.net/index.html
> might fit your JAAS high-end needs. It also integrates
> with Struts.
>
> Regards,
> David
>
> -----Original Message-----
> From: Adam Lipscombe [mailto:adam.lipscombe@expensys.com]
> Sent: Thursday, June 17, 2004 9:02 AM
> To: 'Struts Users Mailing List'
> Subject: Specifying JAAS permission on a per-action basis
>
>
> Folks,
>
>
> I am using JAAS with the Tagish libraries to authenticate
> users via a JDBC
> lookup. This works.
>
>
> What I need to do now is to specify permissions on an action-by-action
> basis, but I am unclear about how this is achieved...
>
> Dan Moore's excellent tutorial at
> http://www.mooreds.com/jaas.html shows an
> example of setting permissions via a policy configuration
> file ("Example 8.
> Sample JAAS policy file").
>
> I have also read that its possible to specify permission via a "roles"
> attribute on the action mapping definition in the struts-config.xml
> file.
>
>
> Does anyone know if these approaches to permission setting
> are complimentary
> or mutually exclusive?
> Does anyone know which is the best?
>
> I would prefer to set the perms in struts-config if possible,
> if only to
> keep all the config in the same file. An example of setting
> perms this way
> would be great.
>
>
>
> TIA - Adam
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Specifying JAAS permission on a per-action basis
Posted by Eric Dahnke <ed...@nyc.yamaha.com>.
I just did this, and found it extremely simple. I eventually went away from
the tagish / http://www.mooreds.com/jaas.html solution.
Three steps is all it takes:
-1- add this to your struts-config
<controller
processorClass="com.ourcompany.portal.site.struts.action.CustomRequestProces
sor"/>
-2- Code
// The Struts Tiles plugin implements its own RequestProcessor, so if you
want
// to use your RequestProcessor alongside the Tiles' RequestProcessor, make
// sure your processor extends TilesRequestProcessor instead of
RequestProcessor
public class CustomRequestProcessor extends TilesRequestProcessor {
protected boolean processRoles(HttpServletRequest request,
HttpServletResponse response,
ActionMapping mapping)
throws IOException, ServletException {
// Is this action protected by role requirements?
String roles[] = mapping.getRoleNames();
if ((roles == null) || (roles.length < 1)) {
return (true);
}
// Check the current user against the list of required roles
HttpSession session = request.getSession();
User user = (User) session.getAttribute("user");
if (user == null) {
response.sendRedirect("noSessionAvailable.do");
return false;
}
for (int i = 0; i < roles.length; i++) {
if (user.hasRole(roles[i])) {
return (true);
}
}
response.sendRedirect("errorNotAuthorized.do");
return (false);
}
}
-3- add roles attributes to your action elements in struts-config
<action path="/billingInformationEdit"
type="org.apache.struts.actions.ForwardAction"
parameter="/pages/billingInformationEdit.jsp"
roles="registeredUser"
>
<set-property property="secure" value="true"/>
</action>
HTH - Eric
> -----Original Message-----
> From: David Friedman [mailto:humble@ix.netcom.com]
> Sent: Thursday, June 17, 2004 9:15 AM
> To: Struts Users Mailing List
> Subject: RE: Specifying JAAS permission on a per-action basis
>
> Pow2ACL http://pow2acl.sourceforge.net/index.html
> might fit your JAAS high-end needs. It also integrates
> with Struts.
>
> Regards,
> David
>
> -----Original Message-----
> From: Adam Lipscombe [mailto:adam.lipscombe@expensys.com]
> Sent: Thursday, June 17, 2004 9:02 AM
> To: 'Struts Users Mailing List'
> Subject: Specifying JAAS permission on a per-action basis
>
>
> Folks,
>
>
> I am using JAAS with the Tagish libraries to authenticate
> users via a JDBC
> lookup. This works.
>
>
> What I need to do now is to specify permissions on an action-by-action
> basis, but I am unclear about how this is achieved...
>
> Dan Moore's excellent tutorial at
> http://www.mooreds.com/jaas.html shows an
> example of setting permissions via a policy configuration
> file ("Example 8.
> Sample JAAS policy file").
>
> I have also read that its possible to specify permission via a "roles"
> attribute on the action mapping definition in the
> struts-config.xml file.
>
>
> Does anyone know if these approaches to permission setting
> are complimentary
> or mutually exclusive?
> Does anyone know which is the best?
>
> I would prefer to set the perms in struts-config if possible,
> if only to
> keep all the config in the same file. An example of setting
> perms this way
> would be great.
>
>
>
> TIA - Adam
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Specifying JAAS permission on a per-action basis
Posted by David Friedman <hu...@ix.netcom.com>.
Pow2ACL http://pow2acl.sourceforge.net/index.html
might fit your JAAS high-end needs. It also integrates
with Struts.
Regards,
David
-----Original Message-----
From: Adam Lipscombe [mailto:adam.lipscombe@expensys.com]
Sent: Thursday, June 17, 2004 9:02 AM
To: 'Struts Users Mailing List'
Subject: Specifying JAAS permission on a per-action basis
Folks,
I am using JAAS with the Tagish libraries to authenticate users via a JDBC
lookup. This works.
What I need to do now is to specify permissions on an action-by-action
basis, but I am unclear about how this is achieved...
Dan Moore's excellent tutorial at http://www.mooreds.com/jaas.html shows an
example of setting permissions via a policy configuration file ("Example 8.
Sample JAAS policy file").
I have also read that its possible to specify permission via a "roles"
attribute on the action mapping definition in the struts-config.xml file.
Does anyone know if these approaches to permission setting are complimentary
or mutually exclusive?
Does anyone know which is the best?
I would prefer to set the perms in struts-config if possible, if only to
keep all the config in the same file. An example of setting perms this way
would be great.
TIA - Adam
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org