You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Flemming Seerup <fl...@fsconsult.dk> on 2007/05/01 18:14:25 UTC
[S2] populating user roles
I would like to populate the user roles from a database during login, but have
not found any examples how to do so in Struts2.
I have found an example how to use RolesInterceptor to secure access to specific
actions, but no hints on how to populate the roles.
/Flemming
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] populating user roles
Posted by Josh Vickery <jo...@vickeryj.com>.
The easiest way I've found to do this is to write a ServletFilter that
wraps the HttpServletRequest with a class that implements the
isUserInRole method based on your database roles from an object you
populated and placed in the Session.
Josh
On 5/1/07, Flemming Seerup <fl...@fsconsult.dk> wrote:
> I would like to populate the user roles from a database during login, but have
> not found any examples how to do so in Struts2.
>
> I have found an example how to use RolesInterceptor to secure access to specific
> actions, but no hints on how to populate the roles.
>
> /Flemming
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] populating user roles
Posted by Alexis Pigeon <pi...@gmail.com>.
Hi Flemming,
On 02/05/07, Flemming Seerup <fl...@fsconsult.dk> wrote:
> Am I missing something? I have a working version of an AuthInterceptor, but
> still no examples on how to control isUserInRole().
>
> On manning.com I found a lightbody_src.zip from WW in action, but it doesn't
> handle roles.
> Could anybody tell me the location of Mark Mernards blog?
His blog :
< http://www.vitarara.org/cms/ >
And the post you are likely to look for :
< http://www.vitarara.org/cms/struts_2_cookbook/creating_a_login_interceptor >
HTH,
alexis
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] populating user roles
Posted by Josh Vickery <jo...@vickeryj.com>.
That is probably a good idea, I actually extended the existing one to
find required roles from an Annotation rather than the struts.xml
because I am trying to use "Zero Config." I also found a problem with
my solution, which is that the Servlet Filter does not seem to get
fired before JSPs are rendered, and as such, my JAAS wrapper for the
ServletRequest is not used.
Here is my extended RolesInterceptor:
public class AnnotatedRolesInterceptor extends RolesInterceptor {
/**
* If the invoked action has a RequiredRoles annotations, this
* interceptor will verify that the jaas user has those listed rules.
*/
@Override
public String intercept(ActionInvocation invocation) throws Exception {
//Check the required roles
RequiredRoles requiredRoles =
invocation.getAction().getClass().getAnnotation(RequiredRoles.class);
if (requiredRoles != null) {
setAllowedRoles(requiredRoles.value());
return super.intercept(invocation);
}
else {
return invocation.invoke();
}
}
@Override
protected String handleRejection(ActionInvocation invocation,
HttpServletResponse response) throws Exception {
return Action.LOGIN;
}
If you want to bypass the JAAS call, you can override
isAllowed(HttpServletRequest,Object) and provide your own check there.
On a tangent, in order to get this Interceptor to apply to all of my
actions (the presence of my custom @RequiredRoles Annotation
determines whether it will actually restrict access) I had to add the
following to struts.xml:
<struts>
<package name="default" extends="struts-default">
<interceptors>
<interceptor name="annotatedRolesInterceptor"
class="palaistra.hermes.web.interceptors.AnnotatedRolesInterceptor"/>
<interceptor-stack name="roleCheckingDefaultStack">
<interceptor-ref name="annotatedRolesInterceptor"/>
<interceptor-ref name="defaultStack"/>
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="roleCheckingDefaultStack"/>
</package>
</struts>
and then use the @ParentPackage("default") Annotation in all of my Actions.
On 5/4/07, Flemming Seerup <fl...@fsconsult.dk> wrote:
> Thanks, that what was I was looking for. I will take a look at your
> example,
> but I'm also considering just writing my own RolesInterceptor ...
>
> F
>
>
> Quoting Josh Vickery <jo...@vickeryj.com>:
> > Flemming, if you are not using JAAS, and don't want to interact with
> > it, you can fake it by wrapping the HttpServletRequest in a servlet
> > filter. This is the method used by SecurityFilter
> > (http://securityfilter.sourceforge.net/) and is very easy to
> > implement.
> >
> > Here are some code snippets:
> > A filter, applied to /* in web.xml
> >
> > public void doFilter(ServletRequest request, ServletResponse response,
> > FilterChain chain) throws IOException, ServletException {
> > UserSession userSession = (UserSession)
> > session.getAttribute(Constants.USER_SESSION);
> > request = new JaasRequestWrapper((HttpServletRequest)request, userSession);
> > chain.doFilter(request, response);
> > }
> >
> > and then JaasRequestionWrapper.java:
> >
> > public class JaasRequestWrapper extends HttpServletRequestWrapper {
> >
> > private UserSession userSession;
> > public JaasRequestWrapper(HttpServletRequest request, UserSession
> > userSession)
> > {
> > super(request);
> > this.userSession = userSession;
> > }
> >
> > @Override
> > public boolean isUserInRole(String role) {
> > return userSession.hasRole(role);
> > }
> > }
> >
> > Where UserSession, is something that you store in the session at user
> > login containing a list of roles to check against.
> >
> >
> > On 5/2/07, Flemming Seerup <fl...@fsconsult.dk> wrote:
> >> Am I missing something? I have a working version of an
> >> AuthInterceptor, but
> >> still no examples on how to control isUserInRole().
> >>
> >> On manning.com I found a lightbody_src.zip from WW in action, but it doesn't
> >> handle roles.
> >> Could anybody tell me the location of Mark Mernards blog?
> >>
> >> /Flemming
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] populating user roles
Posted by Flemming Seerup <fl...@fsconsult.dk>.
Thanks, that what was I was looking for. I will take a look at your
example,
but I'm also considering just writing my own RolesInterceptor ...
F
Quoting Josh Vickery <jo...@vickeryj.com>:
> Flemming, if you are not using JAAS, and don't want to interact with
> it, you can fake it by wrapping the HttpServletRequest in a servlet
> filter. This is the method used by SecurityFilter
> (http://securityfilter.sourceforge.net/) and is very easy to
> implement.
>
> Here are some code snippets:
> A filter, applied to /* in web.xml
>
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain chain) throws IOException, ServletException {
> UserSession userSession = (UserSession)
> session.getAttribute(Constants.USER_SESSION);
> request = new JaasRequestWrapper((HttpServletRequest)request, userSession);
> chain.doFilter(request, response);
> }
>
> and then JaasRequestionWrapper.java:
>
> public class JaasRequestWrapper extends HttpServletRequestWrapper {
>
> private UserSession userSession;
> public JaasRequestWrapper(HttpServletRequest request, UserSession
> userSession)
> {
> super(request);
> this.userSession = userSession;
> }
>
> @Override
> public boolean isUserInRole(String role) {
> return userSession.hasRole(role);
> }
> }
>
> Where UserSession, is something that you store in the session at user
> login containing a list of roles to check against.
>
>
> On 5/2/07, Flemming Seerup <fl...@fsconsult.dk> wrote:
>> Am I missing something? I have a working version of an
>> AuthInterceptor, but
>> still no examples on how to control isUserInRole().
>>
>> On manning.com I found a lightbody_src.zip from WW in action, but it doesn't
>> handle roles.
>> Could anybody tell me the location of Mark Mernards blog?
>>
>> /Flemming
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] populating user roles
Posted by Josh Vickery <jo...@vickeryj.com>.
Flemming, if you are not using JAAS, and don't want to interact with
it, you can fake it by wrapping the HttpServletRequest in a servlet
filter. This is the method used by SecurityFilter
(http://securityfilter.sourceforge.net/) and is very easy to
implement.
Here are some code snippets:
A filter, applied to /* in web.xml
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
UserSession userSession = (UserSession)
session.getAttribute(Constants.USER_SESSION);
request = new JaasRequestWrapper((HttpServletRequest)request, userSession);
chain.doFilter(request, response);
}
and then JaasRequestionWrapper.java:
public class JaasRequestWrapper extends HttpServletRequestWrapper {
private UserSession userSession;
public JaasRequestWrapper(HttpServletRequest request, UserSession
userSession)
{
super(request);
this.userSession = userSession;
}
@Override
public boolean isUserInRole(String role) {
return userSession.hasRole(role);
}
}
Where UserSession, is something that you store in the session at user
login containing a list of roles to check against.
On 5/2/07, Flemming Seerup <fl...@fsconsult.dk> wrote:
> Am I missing something? I have a working version of an AuthInterceptor, but
> still no examples on how to control isUserInRole().
>
> On manning.com I found a lightbody_src.zip from WW in action, but it doesn't
> handle roles.
> Could anybody tell me the location of Mark Mernards blog?
>
> /Flemming
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] populating user roles
Posted by Nuwan Chandrasoma <my...@gmail.com>.
i think your saying abt this gr8 tutorila right?
Creating a Login Interceptor in Struts 2
http://www.vitarara.org/cms/struts_2_cookbook/creating_a_login_interceptor
Thanks again Mark..
Thanks,
Nuwan
----- Original Message -----
From: "Flemming Seerup" <fl...@fsconsult.dk>
To: <us...@struts.apache.org>
Sent: Wednesday, May 02, 2007 8:59 AM
Subject: Re: [S2] populating user roles
> Am I missing something? I have a working version of an AuthInterceptor,
> but
> still no examples on how to control isUserInRole().
>
> On manning.com I found a lightbody_src.zip from WW in action, but it
> doesn't
> handle roles.
> Could anybody tell me the location of Mark Mernards blog?
>
> /Flemming
>
>
> Quoting Laurie Harper <la...@holoweb.net>:
>> Those are good pointers. The key is that it all depends on how you are
>> handling authentication and authorization, since there are so many
>> possible approaches.
>>
>> For example, if you use container managed security, setting up the roles
>> is a matter of configuring your container appropriately. If you're using
>> a non-'standards based' authentication mechanism (filters, S2
>> interceptors, or other custom functionality), you'll need to manage roles
>> yourself. Zoran's pointers should get you on your way in that case.
>>
>> L.
>>
>> Zoran Avtarovski wrote:
>>> To achieve this we wrote a custom AuthInterceptor which we added to the
>>> default stack, which adds some core authorisation functionality - add
>>> user
>>> object (with roles) to the session, add a custom user menu (based on
>>> roles)
>>> to the session and checks authorisation for the action.
>>>
>>> It's pretty straight forward with Interceptors. Mark Mernard has an
>>> example
>>> on his blog which is a good starting point and WW in Action also has a
>>> good
>>> example, just download the source code from the manning site and look
>>> for
>>> the sample AuthInterceptor code.
>>>
>>> Z.
>>>
>>>> I would like to populate the user roles from a database during login,
>>>> but have
>>>> not found any examples how to do so in Struts2.
>>>>
>>>> I have found an example how to use RolesInterceptor to secure access to
>>>> specific
>>>> actions, but no hints on how to populate the roles.
>>>>
>>>> /Flemming
>>>>
>>>>
>>>> ----------------------------------------------------------------
>>>> This message was sent using IMP, the Internet Messaging Program.
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>>> For additional commands, e-mail: user-help@struts.apache.org
>>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] populating user roles
Posted by Zoran Avtarovski <zo...@sparecreative.com>.
> Am I missing something? I have a working version of an AuthInterceptor, but
> still no examples on how to control isUserInRole().
To control the isUserInRole() you will have to look at your Servlet
container and customise the AuthInterceptor to interact with your
container's implementation of JAAS.
The obvious question is why don't you use JAAS to populate the roles on
login? The reason we don't is that we have a complex authorisation hierarchy
that was just too complex for JAAS alone. It sounds like you don't need that
level of complexity. I'd go for just straight JAAS. Have a look at the free
JAAS in Action book (http://www.jaasbook.com/) I found it really useful.
Z.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] populating user roles
Posted by Flemming Seerup <fl...@fsconsult.dk>.
Am I missing something? I have a working version of an AuthInterceptor, but
still no examples on how to control isUserInRole().
On manning.com I found a lightbody_src.zip from WW in action, but it doesn't
handle roles.
Could anybody tell me the location of Mark Mernards blog?
/Flemming
Quoting Laurie Harper <la...@holoweb.net>:
> Those are good pointers. The key is that it all depends on how you
> are handling authentication and authorization, since there are so
> many possible approaches.
>
> For example, if you use container managed security, setting up the
> roles is a matter of configuring your container appropriately. If
> you're using a non-'standards based' authentication mechanism
> (filters, S2 interceptors, or other custom functionality), you'll
> need to manage roles yourself. Zoran's pointers should get you on
> your way in that case.
>
> L.
>
> Zoran Avtarovski wrote:
>> To achieve this we wrote a custom AuthInterceptor which we added to the
>> default stack, which adds some core authorisation functionality - add user
>> object (with roles) to the session, add a custom user menu (based on roles)
>> to the session and checks authorisation for the action.
>>
>> It's pretty straight forward with Interceptors. Mark Mernard has an example
>> on his blog which is a good starting point and WW in Action also has a good
>> example, just download the source code from the manning site and look for
>> the sample AuthInterceptor code.
>>
>> Z.
>>
>>> I would like to populate the user roles from a database during
>>> login, but have
>>> not found any examples how to do so in Struts2.
>>>
>>> I have found an example how to use RolesInterceptor to secure access to
>>> specific
>>> actions, but no hints on how to populate the roles.
>>>
>>> /Flemming
>>>
>>>
>>> ----------------------------------------------------------------
>>> This message was sent using IMP, the Internet Messaging Program.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: user-help@struts.apache.org
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] populating user roles
Posted by Laurie Harper <la...@holoweb.net>.
Those are good pointers. The key is that it all depends on how you are
handling authentication and authorization, since there are so many
possible approaches.
For example, if you use container managed security, setting up the roles
is a matter of configuring your container appropriately. If you're using
a non-'standards based' authentication mechanism (filters, S2
interceptors, or other custom functionality), you'll need to manage
roles yourself. Zoran's pointers should get you on your way in that case.
L.
Zoran Avtarovski wrote:
> To achieve this we wrote a custom AuthInterceptor which we added to the
> default stack, which adds some core authorisation functionality - add user
> object (with roles) to the session, add a custom user menu (based on roles)
> to the session and checks authorisation for the action.
>
> It's pretty straight forward with Interceptors. Mark Mernard has an example
> on his blog which is a good starting point and WW in Action also has a good
> example, just download the source code from the manning site and look for
> the sample AuthInterceptor code.
>
> Z.
>
>> I would like to populate the user roles from a database during login, but have
>> not found any examples how to do so in Struts2.
>>
>> I have found an example how to use RolesInterceptor to secure access to
>> specific
>> actions, but no hints on how to populate the roles.
>>
>> /Flemming
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] populating user roles
Posted by Zoran Avtarovski <zo...@sparecreative.com>.
To achieve this we wrote a custom AuthInterceptor which we added to the
default stack, which adds some core authorisation functionality - add user
object (with roles) to the session, add a custom user menu (based on roles)
to the session and checks authorisation for the action.
It's pretty straight forward with Interceptors. Mark Mernard has an example
on his blog which is a good starting point and WW in Action also has a good
example, just download the source code from the manning site and look for
the sample AuthInterceptor code.
Z.
> I would like to populate the user roles from a database during login, but have
> not found any examples how to do so in Struts2.
>
> I have found an example how to use RolesInterceptor to secure access to
> specific
> actions, but no hints on how to populate the roles.
>
> /Flemming
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org