You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Tim Clotworthy <tc...@bka-inc.com> on 2003/05/14 23:56:18 UTC
RE: Guidance on JAAS and Struts
Here is where my comprehension of the relationship between struts and
JAAS has a disconnect:
JAAS/Java Security has the notion of a Principle, which can be
implemented and tied to Subject. This Principle could be implemented in
a flexible way, including as a role (e.g. AdminPrincipal,
DirectorPrincipal, UserPrincipal, etc.)
Struts allows users to be tied to roles through action mappings, and the
RequestProcessor.processRoles() method allows any user tied to a role
(as recognized by the container via request.isUserInRole()) to be
compared against roles tied to actions (via mapping.getRoleNames()).
Here is my $64,000 question: Is there any intrinsic connection between a
JAAS role (as implicitly definable via Principals) and a role as
recognized by Struts (via action mappings and the underlying container)?
If so, how are they related?
If not, how does one endeavoring to use JAAS with Struts meld the two
notions of roles together?
Exasperatedly yours...
> -----Original Message-----
> From: Mick.Knutson@ubsw.com [mailto:Mick.Knutson@ubsw.com]
> Sent: Tuesday, April 22, 2003 2:42 AM
> To: struts-user@jakarta.apache.org; tclotworthy@bka-inc.com
> Subject: RE: Guidance on JAAS and Struts
>
> If you use JAAS container managed security, then JAAS has nothing to
do
> with Struts directly. The container will manage the security. Struts
will
> allow you to put Role restrictions on the users that can call certain
> actions. I use just declarative security in the web.xml, and then I
have
> just begun to tighten the noose by using role restrictions on the
actions.
> But I have been in the R&D phase, to the role was not as important to
me
> until now.
>
> -----Original Message-----
> From: Tim Clotworthy [mailto:tclotworthy@bka-inc.com]
> Sent: Friday, April 18, 2003 6:17 PM
> To: Struts Users Mailing List
> Subject: Guidance on JAAS and Struts
>
>
> Hello,
> Jakarta indicates that Struts1.1 will provide "direct support" for
JAAS,
> but (best as I can tell), provides no specific guidance on how best to
> use JAAS and Struts.
>
> Specifically, I am looking for good guidance on Struts and JAAS
> authorization (the second "A" in JAAS), as the authentication part
(the
> first "A" in JAAS) with Struts is straight-forward enough.
>
> The only info I have found regarding Struts and JAAS is this
relatively
> old article: http://www.mooreds.com/jaas.html from Dan Moore. The
> authentication section is fine, but I was wondering whether anyone has
> alternative ideas for the authorization part to Dan's suggestion of
> extending the Action Servlet and overriding the process method (which
is
> perhaps not ideal from a maintenance perspective.
>
>
> Thanks so much in advance!
>
>
> Visit our website at http://www.ubswarburg.com
>
> This message contains confidential information and is intended only
> for the individual named. If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail. Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
>
> E-mail transmission cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses. The sender therefore
> does not accept liability for any errors or omissions in the contents
> of this message which arise as a result of e-mail transmission. If
> verification is required please request a hard-copy version. This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities or
> related financial instruments.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Guidance on JAAS and Struts
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Craig R. McClanahan wrote:
>> I ploughed through the
>>security docs at weblogic and couldn't really get to the heart of what
>>it can do with jaas.
>>
>
>
> Rather than asking "what can I do with JAAS", shouldn't the question
> really be "what can I do to programmatically link to the user
> authentication and authorization scheme provided by your container"? You
> can't necessarily assume that any given container uses JAAS to accomplish
> this linkage.
Yes, sorry. My mail was poorly worded. BEA weblogic uses JAAS at least
from v7 on, but their documentation is obtuse for the uninitiated. I
read a large amount of material from BEA and Java without really being
able to get to grips with it, until I got to the Sun JAAS
authentication tutorial
http://java.sun.com/j2se/1.4.1/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
which helped me make sense of it all.
I also realise my ambitions are probably too idealistic at the moment,
and also that I've gone off-topic. Thanks for your input though. I have
also seen several very helpful threads over on the tomcat list archives.
I see the date stamps on some of the tomcat classes are back in 2001, so
it's been around a while (and the tutorial too) without appearing to
have changed. I've seen some fairly heavy criticism of JAAS too - is
JAAS in for a major overhaul ?
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Guidance on JAAS and Struts
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 16 May 2003, Adam Hardy wrote:
> Date: Fri, 16 May 2003 10:10:52 +0200
> From: Adam Hardy <ah...@cyberspaceroad.com>
> Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>
> To: Struts Users Mailing List <st...@jakarta.apache.org>
> Subject: Re: Guidance on JAAS and Struts
>
> Craig R. McClanahan wrote:
> > There is an experimental interface to JAAS
> > (org.apache.catalina.realm.JAASRealm) in Tomcat -- I'm not sure it has
> > ever been formally tested or documented, though, so you might have to go
> > into the Tomcat sources and see how it works. You might also be able to
> > get some help on TOMCAT-USER, but I'd bet not many people have played with
> > it.
> >
>
> Is this pretty much the same level of advancement that other appserver
> software like weblogic and wesphere provide?
You'll have to inquire on the support mailing lists for each container
that you care about.
> I ploughed through the
> security docs at weblogic and couldn't really get to the heart of what
> it can do with jaas.
>
Rather than asking "what can I do with JAAS", shouldn't the question
really be "what can I do to programmatically link to the user
authentication and authorization scheme provided by your container"? You
can't necessarily assume that any given container uses JAAS to accomplish
this linkage.
> Am I right in thinking though, that I can write an authentication class
> or set of classes for JAAS, to access user info in a database via jdbc
> for instance, and then I should theoretically be platform independent?
>
That's the idealistic theory -- in practice, that would assume:
* Every container you care about supports JAAS back-ends for this plugin
* Every container you care about interacts with the JAAS plugin
programmatically exactly the same way.
My bet is that the latter is not universally true, even if the former
were. Note that there is a current JSR (196) aimed at defining portable
standards in this area; but we're not there yet.
> One of my aims is to provide software where the customer can choose the
> appserver, without requiring me to maintain different versions. At the
> moment I've got a rudimentary built-in login system, but I don't have
> roles. I'd prefer to use container-based features than develop my login
> system further.
>
Managing the login screens themselves is portable -- just use form based
authentication and roles. The non-portable part is how to set up a new
user, how to administer roles, and so on. There are two basic flavors of
choice with current-day container technology:
* Tell your customers to set up users using the admin tools
provided by the particular container they choose -- and
provide pointers to the docs for the popular ones.
* Design an administrative portion of your own app (the part
that sets up users and so on) with a "user database"
abstraction for which you write a container-specific
plugin for each container.
> Thanks for your opinion.
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Guidance on JAAS and Struts
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Craig R. McClanahan wrote:
> There is an experimental interface to JAAS
> (org.apache.catalina.realm.JAASRealm) in Tomcat -- I'm not sure it has
> ever been formally tested or documented, though, so you might have to go
> into the Tomcat sources and see how it works. You might also be able to
> get some help on TOMCAT-USER, but I'd bet not many people have played with
> it.
>
Is this pretty much the same level of advancement that other appserver
software like weblogic and wesphere provide? I ploughed through the
security docs at weblogic and couldn't really get to the heart of what
it can do with jaas.
Am I right in thinking though, that I can write an authentication class
or set of classes for JAAS, to access user info in a database via jdbc
for instance, and then I should theoretically be platform independent?
One of my aims is to provide software where the customer can choose the
appserver, without requiring me to maintain different versions. At the
moment I've got a rudimentary built-in login system, but I don't have
roles. I'd prefer to use container-based features than develop my login
system further.
Thanks for your opinion.
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Guidance on Validation in Struts
Posted by Leon <le...@hotmail.com>.
Thanks
----- Original Message -----
From: "Sergey Smirnov" <si...@exadel.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Thursday, May 15, 2003 6:45 PM
Subject: Re: Guidance on Validation in Struts
> if staticJavascript="true" script contains the javascript functions
included
> into validator section of Struts validation files.
> if dynamicJavascript="true" script contains the javascript functions
created
> based on formsets you describe.
>
> Both attributes equal true by default. It means that everything will be
> included at once. If you have simple page with one form, it is enough.
>
> Using staticJavascript and dynamicJavascript might be useful, for
example,
> if you have several forms on your page, or you have a tiles structure. In
> this way, you can turn off staticJavascript to avoid duplicates.
>
> Regards,
> Sergey Smirnov
> http://www.exadel.com/strutsStudio
>
> ----- Original Message -----
> From: "Leon" <le...@hotmail.com>
> To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> Sent: Thursday, May 15, 2003 3:25 PM
> Subject: Re: Guidance on Validation in Struts
>
>
> > Hi Sergey,
> >
> > It works after removing dynamicJavascript="true"
staticJavascript="false".
> > Thank you.
> > Actually, could write some words on use of these two attributs?
> >
> > Loen
> >
> > ----- Original Message -----
> > From: "Sergey Smirnov" <si...@exadel.com>
> > To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> > Sent: Thursday, May 15, 2003 5:50 PM
> > Subject: Re: Guidance on Validation in Struts
> >
> >
> > > Leon,
> > >
> > > It looks like you use <html:javascript formName="RegistryForm"
> > > staticJavascript="false"/> in the head section of your page. The
> standard
> > > validators have not been included at all.
> > >
> > > Regards,
> > > Sergey Smirnov
> > > http://www.exadel.com/strutsStudio
> > >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Guidance on Validation in Struts
Posted by Sergey Smirnov <si...@exadel.com>.
if staticJavascript="true" script contains the javascript functions included
into validator section of Struts validation files.
if dynamicJavascript="true" script contains the javascript functions created
based on formsets you describe.
Both attributes equal true by default. It means that everything will be
included at once. If you have simple page with one form, it is enough.
Using staticJavascript and dynamicJavascript might be useful, for example,
if you have several forms on your page, or you have a tiles structure. In
this way, you can turn off staticJavascript to avoid duplicates.
Regards,
Sergey Smirnov
http://www.exadel.com/strutsStudio
----- Original Message -----
From: "Leon" <le...@hotmail.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Thursday, May 15, 2003 3:25 PM
Subject: Re: Guidance on Validation in Struts
> Hi Sergey,
>
> It works after removing dynamicJavascript="true" staticJavascript="false".
> Thank you.
> Actually, could write some words on use of these two attributs?
>
> Loen
>
> ----- Original Message -----
> From: "Sergey Smirnov" <si...@exadel.com>
> To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> Sent: Thursday, May 15, 2003 5:50 PM
> Subject: Re: Guidance on Validation in Struts
>
>
> > Leon,
> >
> > It looks like you use <html:javascript formName="RegistryForm"
> > staticJavascript="false"/> in the head section of your page. The
standard
> > validators have not been included at all.
> >
> > Regards,
> > Sergey Smirnov
> > http://www.exadel.com/strutsStudio
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Guidance on Validation in Struts
Posted by Leon <le...@hotmail.com>.
Hi Sergey,
It works after removing dynamicJavascript="true" staticJavascript="false".
Thank you.
Actually, could write some words on use of these two attributs?
Loen
----- Original Message -----
From: "Sergey Smirnov" <si...@exadel.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Thursday, May 15, 2003 5:50 PM
Subject: Re: Guidance on Validation in Struts
> Leon,
>
> It looks like you use <html:javascript formName="RegistryForm"
> staticJavascript="false"/> in the head section of your page. The standard
> validators have not been included at all.
>
> Regards,
> Sergey Smirnov
> http://www.exadel.com/strutsStudio
>
> ----- Original Message -----
> From: "Leon" <le...@hotmail.com>
> To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> Sent: Thursday, May 15, 2003 2:04 PM
> Subject: Re: Guidance on Validation in Struts
>
>
> > Yes, I did and I even can see the javascript of the page when I open
view
> > source.
> > <html>
> > <head>
> > <title>Struts Form for registryForm</title>
> > </head>
> > <body>
> >
> > <form name="registryForm" method="post"
> > action="/WebContent/registry/sendRegistryInfor.do" onsubmit="return
> > validateRegistryForm(this);">
> >
> > <tr><th align="right" width="30%">First Name</th>
> > <td align="left"><input type="text" name="firstName" size="20"
> > value=""></td></tr>
> > <tr><th align="right">Last Name</th>
> > <td align="left"><input type="text" name="lastName" size="20"
> > value=""></td></tr>
> > <tr><th align="right">Email</th>
> > <td align="left"><input type="text" name="emailAddress" size="20"
> > value=""></td></tr>
> > <tr><th align="right">Password</th>
> > <td align='left'><input type="password" name="password" size="10"
> > value=""></td></tr>
> > <tr><th align="right">Re-password</th>
> > <td align='left'><input type="password" name="repassword" size="10"
> > value=""></td></tr>
> > <tr><th align="right">Birst Day</th>
> > <td align="left" ><input type="text" name="birthDate" size="10"
> > value="">(Optional)</td></tr>
> > <tr><td align="right" width="40%"><input type="submit"
> > value="Submit"></td><td><input type="reset" value="Reset"></td></tr>
> >
> > </form>
> > <script type="text/javascript" language="JavaScript">
> > <!--
> > var focusControl =
document.forms["registryForm"].elements["firstName"];
> >
> > if (focusControl.type != "hidden") {
> > focusControl.focus();
> > }
> > // -->
> > </script>
> >
> > <script type="text/javascript" language="Javascript1.1">
> >
> > <!-- Begin
> >
> > var bCancel = false;
> >
> > function validateRegistryForm(form) {
> > if (bCancel)
> > return true;
> > else
> > return validateRequired(form) && validateEmail(form) &&
> > validateMaxLength(form) && validateMinLength(form);
> > }
> >
> > function required () {
> > this.aa = new Array("firstName", "First Name is required.", new
> > Function ("varName", " return this[varName];"));
> > this.ab = new Array("lastName", "Last Name is required.", new
> Function
> > ("varName", " return this[varName];"));
> > }
> >
> > function email () {
> > this.aa = new Array("email", "Email is an invalid e-mail address.",
> new
> > Function ("varName", " return this[varName];"));
> > }
> >
> > function maxlength () {
> > this.aa = new Array("password", "Password can not be greater than
> null
> > characters.", new Function ("varName", "this.maxlength='16';
> > this.minlength='3'; return this[varName];"));
> > }
> >
> > function minlength () {
> > this.aa = new Array("password", "Password can not be less than 3
> > characters.", new Function ("varName", "this.maxlength='16';
> > this.minlength='3'; return this[varName];"));
> > }
> >
> >
> > //End -->
> > </script>
> >
> >
> > Leon
> >
> >
> > ----- Original Message -----
> > From: "Sergey Smirnov" <si...@exadel.com>
> > To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> > Sent: Thursday, May 15, 2003 3:07 PM
> > Subject: Re: Guidance on Validation in Struts
> >
> >
> > > Did you add validation plug-in in your struts-config.xml?
> > >
> > > ----- Original Message -----
> > > From: "Leon" <le...@hotmail.com>
> > > To: "Struts Users Mailing List" <st...@jakarta.apache.org>;
> > > <tc...@bka-inc.com>
> > > Sent: Thursday, May 15, 2003 11:58 AM
> > > Subject: Guidance on Validation in Struts
> > >
> > >
> > > > Hi,
> > > >
> > > > I am new to Validator API. I want to use Validator for client-side
> > > > validation. I put definations in validation.xml, put
> > > > onsubmit="return validateRegistryForm(this);" in my jsp file and do
> not
> > > > touch validator-rules.xml. When I press submit button, the
javascript
> > > > validation does work.
> > > >
> > > > Any wrong with that?
> > > >
> > > > Leon
> > > >
> > > >
> > >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Guidance on Validation in Struts
Posted by Sergey Smirnov <si...@exadel.com>.
Leon,
It looks like you use <html:javascript formName="RegistryForm"
staticJavascript="false"/> in the head section of your page. The standard
validators have not been included at all.
Regards,
Sergey Smirnov
http://www.exadel.com/strutsStudio
----- Original Message -----
From: "Leon" <le...@hotmail.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Thursday, May 15, 2003 2:04 PM
Subject: Re: Guidance on Validation in Struts
> Yes, I did and I even can see the javascript of the page when I open view
> source.
> <html>
> <head>
> <title>Struts Form for registryForm</title>
> </head>
> <body>
>
> <form name="registryForm" method="post"
> action="/WebContent/registry/sendRegistryInfor.do" onsubmit="return
> validateRegistryForm(this);">
>
> <tr><th align="right" width="30%">First Name</th>
> <td align="left"><input type="text" name="firstName" size="20"
> value=""></td></tr>
> <tr><th align="right">Last Name</th>
> <td align="left"><input type="text" name="lastName" size="20"
> value=""></td></tr>
> <tr><th align="right">Email</th>
> <td align="left"><input type="text" name="emailAddress" size="20"
> value=""></td></tr>
> <tr><th align="right">Password</th>
> <td align='left'><input type="password" name="password" size="10"
> value=""></td></tr>
> <tr><th align="right">Re-password</th>
> <td align='left'><input type="password" name="repassword" size="10"
> value=""></td></tr>
> <tr><th align="right">Birst Day</th>
> <td align="left" ><input type="text" name="birthDate" size="10"
> value="">(Optional)</td></tr>
> <tr><td align="right" width="40%"><input type="submit"
> value="Submit"></td><td><input type="reset" value="Reset"></td></tr>
>
> </form>
> <script type="text/javascript" language="JavaScript">
> <!--
> var focusControl = document.forms["registryForm"].elements["firstName"];
>
> if (focusControl.type != "hidden") {
> focusControl.focus();
> }
> // -->
> </script>
>
> <script type="text/javascript" language="Javascript1.1">
>
> <!-- Begin
>
> var bCancel = false;
>
> function validateRegistryForm(form) {
> if (bCancel)
> return true;
> else
> return validateRequired(form) && validateEmail(form) &&
> validateMaxLength(form) && validateMinLength(form);
> }
>
> function required () {
> this.aa = new Array("firstName", "First Name is required.", new
> Function ("varName", " return this[varName];"));
> this.ab = new Array("lastName", "Last Name is required.", new
Function
> ("varName", " return this[varName];"));
> }
>
> function email () {
> this.aa = new Array("email", "Email is an invalid e-mail address.",
new
> Function ("varName", " return this[varName];"));
> }
>
> function maxlength () {
> this.aa = new Array("password", "Password can not be greater than
null
> characters.", new Function ("varName", "this.maxlength='16';
> this.minlength='3'; return this[varName];"));
> }
>
> function minlength () {
> this.aa = new Array("password", "Password can not be less than 3
> characters.", new Function ("varName", "this.maxlength='16';
> this.minlength='3'; return this[varName];"));
> }
>
>
> //End -->
> </script>
>
>
> Leon
>
>
> ----- Original Message -----
> From: "Sergey Smirnov" <si...@exadel.com>
> To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> Sent: Thursday, May 15, 2003 3:07 PM
> Subject: Re: Guidance on Validation in Struts
>
>
> > Did you add validation plug-in in your struts-config.xml?
> >
> > ----- Original Message -----
> > From: "Leon" <le...@hotmail.com>
> > To: "Struts Users Mailing List" <st...@jakarta.apache.org>;
> > <tc...@bka-inc.com>
> > Sent: Thursday, May 15, 2003 11:58 AM
> > Subject: Guidance on Validation in Struts
> >
> >
> > > Hi,
> > >
> > > I am new to Validator API. I want to use Validator for client-side
> > > validation. I put definations in validation.xml, put
> > > onsubmit="return validateRegistryForm(this);" in my jsp file and do
not
> > > touch validator-rules.xml. When I press submit button, the javascript
> > > validation does work.
> > >
> > > Any wrong with that?
> > >
> > > Leon
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Guidance on Validation in Struts
Posted by Leon <le...@hotmail.com>.
Yes, I did and I even can see the javascript of the page when I open view
source.
<html>
<head>
<title>Struts Form for registryForm</title>
</head>
<body>
<form name="registryForm" method="post"
action="/WebContent/registry/sendRegistryInfor.do" onsubmit="return
validateRegistryForm(this);">
<tr><th align="right" width="30%">First Name</th>
<td align="left"><input type="text" name="firstName" size="20"
value=""></td></tr>
<tr><th align="right">Last Name</th>
<td align="left"><input type="text" name="lastName" size="20"
value=""></td></tr>
<tr><th align="right">Email</th>
<td align="left"><input type="text" name="emailAddress" size="20"
value=""></td></tr>
<tr><th align="right">Password</th>
<td align='left'><input type="password" name="password" size="10"
value=""></td></tr>
<tr><th align="right">Re-password</th>
<td align='left'><input type="password" name="repassword" size="10"
value=""></td></tr>
<tr><th align="right">Birst Day</th>
<td align="left" ><input type="text" name="birthDate" size="10"
value="">(Optional)</td></tr>
<tr><td align="right" width="40%"><input type="submit"
value="Submit"></td><td><input type="reset" value="Reset"></td></tr>
</form>
<script type="text/javascript" language="JavaScript">
<!--
var focusControl = document.forms["registryForm"].elements["firstName"];
if (focusControl.type != "hidden") {
focusControl.focus();
}
// -->
</script>
<script type="text/javascript" language="Javascript1.1">
<!-- Begin
var bCancel = false;
function validateRegistryForm(form) {
if (bCancel)
return true;
else
return validateRequired(form) && validateEmail(form) &&
validateMaxLength(form) && validateMinLength(form);
}
function required () {
this.aa = new Array("firstName", "First Name is required.", new
Function ("varName", " return this[varName];"));
this.ab = new Array("lastName", "Last Name is required.", new Function
("varName", " return this[varName];"));
}
function email () {
this.aa = new Array("email", "Email is an invalid e-mail address.", new
Function ("varName", " return this[varName];"));
}
function maxlength () {
this.aa = new Array("password", "Password can not be greater than null
characters.", new Function ("varName", "this.maxlength='16';
this.minlength='3'; return this[varName];"));
}
function minlength () {
this.aa = new Array("password", "Password can not be less than 3
characters.", new Function ("varName", "this.maxlength='16';
this.minlength='3'; return this[varName];"));
}
//End -->
</script>
Leon
----- Original Message -----
From: "Sergey Smirnov" <si...@exadel.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Thursday, May 15, 2003 3:07 PM
Subject: Re: Guidance on Validation in Struts
> Did you add validation plug-in in your struts-config.xml?
>
> ----- Original Message -----
> From: "Leon" <le...@hotmail.com>
> To: "Struts Users Mailing List" <st...@jakarta.apache.org>;
> <tc...@bka-inc.com>
> Sent: Thursday, May 15, 2003 11:58 AM
> Subject: Guidance on Validation in Struts
>
>
> > Hi,
> >
> > I am new to Validator API. I want to use Validator for client-side
> > validation. I put definations in validation.xml, put
> > onsubmit="return validateRegistryForm(this);" in my jsp file and do not
> > touch validator-rules.xml. When I press submit button, the javascript
> > validation does work.
> >
> > Any wrong with that?
> >
> > Leon
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Guidance on Validation in Struts
Posted by Sergey Smirnov <si...@exadel.com>.
Did you add validation plug-in in your struts-config.xml?
----- Original Message -----
From: "Leon" <le...@hotmail.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>;
<tc...@bka-inc.com>
Sent: Thursday, May 15, 2003 11:58 AM
Subject: Guidance on Validation in Struts
> Hi,
>
> I am new to Validator API. I want to use Validator for client-side
> validation. I put definations in validation.xml, put
> onsubmit="return validateRegistryForm(this);" in my jsp file and do not
> touch validator-rules.xml. When I press submit button, the javascript
> validation does work.
>
> Any wrong with that?
>
> Leon
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Guidance on Validation in Struts
Posted by Sergey Smirnov <si...@exadel.com>.
Hi,
Minimum steps to have built-in validation working:
1. Add validation plug-in into the struts-config.xml
2. Put definitions in validation.xml
3. Add to the page:
a) In the head section: <html:javascript formName="<form_name>" />
b) for the form tag: onsubmit="return validate<form_name>(this)"
4. Create application resource file with required keys (if does not exist
yet)
5 Add reference to resource file into the struts-config.xml
P.S. it is possible to avoid step #4 and #5 if definitions in validation.xml
do not require resources.
Regards,
Sergey Smirnov
http://www.exadel.com/strutsStudio
----- Original Message -----
From: "Leon" <le...@hotmail.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>;
<tc...@bka-inc.com>
Sent: Thursday, May 15, 2003 11:58 AM
Subject: Guidance on Validation in Struts
> Hi,
>
> I am new to Validator API. I want to use Validator for client-side
> validation. I put definations in validation.xml, put
> onsubmit="return validateRegistryForm(this);" in my jsp file and do not
> touch validator-rules.xml. When I press submit button, the javascript
> validation does work.
>
> Any wrong with that?
>
> Leon
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Guidance on Validation in Struts
Posted by Leon <le...@hotmail.com>.
Hi,
I am new to Validator API. I want to use Validator for client-side
validation. I put definations in validation.xml, put
onsubmit="return validateRegistryForm(this);" in my jsp file and do not
touch validator-rules.xml. When I press submit button, the javascript
validation does work.
Any wrong with that?
Leon
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Guidance on JAAS and Struts
Posted by Tim Clotworthy <tc...@bka-inc.com>.
Thanks Craig (looks like you wrote the thing yourself, or at least the
documentation) ;)
Tim
> -----Original Message-----
> From: Craig R. McClanahan [mailto:craigmcc@apache.org]
> Sent: Thursday, May 15, 2003 11:47 AM
> To: Struts Users Mailing List; tclotworthy@bka-inc.com
> Subject: RE: Guidance on JAAS and Struts
>
>
>
> On Thu, 15 May 2003, Tim Clotworthy wrote:
>
> > Date: Thu, 15 May 2003 11:04:20 -0400
> > From: Tim Clotworthy <tc...@bka-inc.com>
> > Reply-To: Struts Users Mailing List
<st...@jakarta.apache.org>,
> > tclotworthy@bka-inc.com
> > To: 'Struts Users Mailing List' <st...@jakarta.apache.org>
> > Subject: RE: Guidance on JAAS and Struts
> >
> > Craig,
> > Thanks so much for the thorough and thoughtful reply. It clarified
> > various issues very well for me. One specific issue I have still,
> > however:
> >
> > I am going to use CMA, and I am indeed using Tomcat4.1 with JAAS.
Below
> > you indicate Tomcat lets you store users and roles in various
datastore
> > types, and access them via JAAS. However, when I go to the link you
> > provided
> > (http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html) ,
I
> > do not see any reference to JAAS, regarding "howto" make this
> > association. Should I be looking somewhere else? Thanks again.
> >
>
> There is an experimental interface to JAAS
> (org.apache.catalina.realm.JAASRealm) in Tomcat -- I'm not sure it has
> ever been formally tested or documented, though, so you might have to
go
> into the Tomcat sources and see how it works. You might also be able
to
> get some help on TOMCAT-USER, but I'd bet not many people have played
with
> it.
>
> >From what I've seen, JDBCRealm is the most commonly used Realm
> implementation.
>
> > Tim
>
> Craig
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Guidance on JAAS and Struts
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Thu, 15 May 2003, Tim Clotworthy wrote:
> Date: Thu, 15 May 2003 11:04:20 -0400
> From: Tim Clotworthy <tc...@bka-inc.com>
> Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>,
> tclotworthy@bka-inc.com
> To: 'Struts Users Mailing List' <st...@jakarta.apache.org>
> Subject: RE: Guidance on JAAS and Struts
>
> Craig,
> Thanks so much for the thorough and thoughtful reply. It clarified
> various issues very well for me. One specific issue I have still,
> however:
>
> I am going to use CMA, and I am indeed using Tomcat4.1 with JAAS. Below
> you indicate Tomcat lets you store users and roles in various datastore
> types, and access them via JAAS. However, when I go to the link you
> provided
> (http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html) , I
> do not see any reference to JAAS, regarding "howto" make this
> association. Should I be looking somewhere else? Thanks again.
>
There is an experimental interface to JAAS
(org.apache.catalina.realm.JAASRealm) in Tomcat -- I'm not sure it has
ever been formally tested or documented, though, so you might have to go
into the Tomcat sources and see how it works. You might also be able to
get some help on TOMCAT-USER, but I'd bet not many people have played with
it.
>From what I've seen, JDBCRealm is the most commonly used Realm
implementation.
> Tim
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Guidance on JAAS and Struts
Posted by Tim Clotworthy <tc...@bka-inc.com>.
Craig,
Thanks so much for the thorough and thoughtful reply. It clarified
various issues very well for me. One specific issue I have still,
however:
I am going to use CMA, and I am indeed using Tomcat4.1 with JAAS. Below
you indicate Tomcat lets you store users and roles in various datastore
types, and access them via JAAS. However, when I go to the link you
provided
(http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html) , I
do not see any reference to JAAS, regarding "howto" make this
association. Should I be looking somewhere else? Thanks again.
Tim
> -----Original Message-----
> From: Craig R. McClanahan [mailto:craigmcc@apache.org]
> Sent: Wednesday, May 14, 2003 8:13 PM
> To: Struts Users Mailing List; tclotworthy@bka-inc.com
> Subject: RE: Guidance on JAAS and Struts
>
> On Wed, 14 May 2003, Tim Clotworthy wrote:
>
> > Date: Wed, 14 May 2003 17:56:18 -0400
> > From: Tim Clotworthy <tc...@bka-inc.com>
> > Reply-To: Struts Users Mailing List
<st...@jakarta.apache.org>,
> > tclotworthy@bka-inc.com
> > To: 'Struts Users Mailing List' <st...@jakarta.apache.org>
> > Subject: RE: Guidance on JAAS and Struts
> >
> > Here is where my comprehension of the relationship between struts
and
> > JAAS has a disconnect:
> >
> > JAAS/Java Security has the notion of a Principle, which can be
> > implemented and tied to Subject. This Principle could be implemented
in
> > a flexible way, including as a role (e.g. AdminPrincipal,
> > DirectorPrincipal, UserPrincipal, etc.)
> >
> > Struts allows users to be tied to roles through action mappings, and
the
> > RequestProcessor.processRoles() method allows any user tied to a
role
> > (as recognized by the container via request.isUserInRole()) to be
> > compared against roles tied to actions (via mapping.getRoleNames()).
> >
> > Here is my $64,000 question: Is there any intrinsic connection
between a
> > JAAS role (as implicitly definable via Principals) and a role as
> > recognized by Struts (via action mappings and the underlying
container)?
> >
> >
> > If so, how are they related?
> >
> > If not, how does one endeavoring to use JAAS with Struts meld the
two
> > notions of roles together?
> >
> > Exasperatedly yours...
> >
>
> Sorry for not responding to this thread earlier ... here's my view on
the
> situation. It's not so much an issue of Struts and JAAS -- it's an
issue
> of how security works in the servlet API.
>
> (1) Background
>
> There are two general approaches to authentication and authorization
> commonly used in web applications today:
>
> - Container Managed Security (see below for details). As the name
> implies, this is a facility provided by your servlet container.
> Note that if you are running in a J2EE environment where you need
> to make calls on EJBs, this is your only practical choice.
>
> - Application Managed Security. Essentially, this category covers
> all other scenarios, where the application decides to provide its
> own mechanism for determining when a user can log on, and what they
> can do while there.
>
> (2) Using Container Managed Security
>
> To leverage container managed security (CMA), you need to do a few
things:
>
> * Design a set of "roles" and map them to your users. Roles
> represent the right of people who possess them to execute
> certain functions -- in the context of web applications, it
> means they have the right to access specific URLs. The
> mapping of users to roles is m:n, just like the mapping between
> users and groups in Unix systems.
>
> * Configure the valid users and their roles into your container,
> using the container-specific features that it provides. For
example,
> Tomcat lets you store users and roles in an XML file, a database,
> a directory server, or access them via JAAS -- for more info, see:
>
> http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
>
> * In your web application's deployment descriptor (/WEB-INF/web.xml),
> create <security-constraint> elements that define which URLs within
> the app should be protected, and what roles are required to access
> them. See the servlet spec for more details.
>
> * In addition to the URL-to-role mappings, you also need to define
> a <login-config> element to tell the container how to perform
> logins when it decides they are necessary.
>
> * When an unauthenticated user accesses a protected resource for
> the first time, the container will require the user to log on,
> and will then ensure that the user has the appropriate roles to
> access this protected resource. The app doesn't have to do a thing
> to make this happen (the best feature about CMA).
>
> * If the app *wants* to base its own decisions on authentication and
> authorization activities performed by the container, it can gain
> access to information about what the container did via several
> calls on the HttpServletRequest object: getAuthType(),
> getRemoteUser(), getUserPrincipal(), and isUserInRole(). For
> example, you might use the latter call to render certain menu
> options only if the user is actually a manager:
>
> <logic:present role="manager">
> ... Show manager-specific options here ...
> </logic:present/>
> ... Show all-user options here ...
>
> If you are using CMA, then, there will be no direct link between
Struts
> and JAAS -- there will be a link between Struts and your container
> (represented by the security constraint and login config elements in
your
> web.xml file), and a separate link bewteen your container and a JAAS
> provider (assuming that your container allows such a thing to be
> configured).
>
> (3) Using Application Managed Security
>
> The alternative to using CMA is to take full responsibility for
> authentication and authorization upon yourself. From the perspective
of
> the container, all URLs are unprotected, and no user is ever
> authenticated. There is a tremendous amount of flexibility here.
>
> One thing (and possibly confusing) approach to application managed
> security, though, is to use the new Filter mechanism (added in Servlet
> 2.3) to "fake" CMA. In other words, if you embed your security logic
into
> a filter, that filter can create a request wrapper that returns
non-null
> values for the CMA-related HttpServletRequest methods. An example of
this
> is the "securityfilter" project at SourceForge, which can easily be
used
> in Struts based apps, but is by no means restricted to Struts.
>
> If you use securityfilter (or something like it) with Struts, then you
can
> utilize Struts-based features that depend on roles (the
<logic:present>
> tag illustrated above, and the "role" attribute on an <action> element
in
> struts-config.xml), just as if you were actually using CMA. The only
> difference is where the data came from (the container versus the
filter).
>
> Keep in mind, though, that you really are faking it -- the container
> doesn't know what is going on, so calls to EJBs will be executed as if
> they were done by an unauthenticated user (or, in advanced cases, by a
> user with whatever role you configure in a <run-as> element).
>
> Hope this makes the relationships a little clearer ...
>
> Craig McClanahan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Guidance on JAAS and Struts
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Wed, 14 May 2003, Tim Clotworthy wrote:
> Date: Wed, 14 May 2003 17:56:18 -0400
> From: Tim Clotworthy <tc...@bka-inc.com>
> Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>,
> tclotworthy@bka-inc.com
> To: 'Struts Users Mailing List' <st...@jakarta.apache.org>
> Subject: RE: Guidance on JAAS and Struts
>
> Here is where my comprehension of the relationship between struts and
> JAAS has a disconnect:
>
> JAAS/Java Security has the notion of a Principle, which can be
> implemented and tied to Subject. This Principle could be implemented in
> a flexible way, including as a role (e.g. AdminPrincipal,
> DirectorPrincipal, UserPrincipal, etc.)
>
> Struts allows users to be tied to roles through action mappings, and the
> RequestProcessor.processRoles() method allows any user tied to a role
> (as recognized by the container via request.isUserInRole()) to be
> compared against roles tied to actions (via mapping.getRoleNames()).
>
> Here is my $64,000 question: Is there any intrinsic connection between a
> JAAS role (as implicitly definable via Principals) and a role as
> recognized by Struts (via action mappings and the underlying container)?
>
>
> If so, how are they related?
>
> If not, how does one endeavoring to use JAAS with Struts meld the two
> notions of roles together?
>
> Exasperatedly yours...
>
Sorry for not responding to this thread earlier ... here's my view on the
situation. It's not so much an issue of Struts and JAAS -- it's an issue
of how security works in the servlet API.
(1) Background
There are two general approaches to authentication and authorization
commonly used in web applications today:
- Container Managed Security (see below for details). As the name
implies, this is a facility provided by your servlet container.
Note that if you are running in a J2EE environment where you need
to make calls on EJBs, this is your only practical choice.
- Application Managed Security. Essentially, this category covers
all other scenarios, where the application decides to provide its
own mechanism for determining when a user can log on, and what they
can do while there.
(2) Using Container Managed Security
To leverage container managed security (CMA), you need to do a few things:
* Design a set of "roles" and map them to your users. Roles
represent the right of people who possess them to execute
certain functions -- in the context of web applications, it
means they have the right to access specific URLs. The
mapping of users to roles is m:n, just like the mapping between
users and groups in Unix systems.
* Configure the valid users and their roles into your container,
using the container-specific features that it provides. For example,
Tomcat lets you store users and roles in an XML file, a database,
a directory server, or access them via JAAS -- for more info, see:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
* In your web application's deployment descriptor (/WEB-INF/web.xml),
create <security-constraint> elements that define which URLs within
the app should be protected, and what roles are required to access
them. See the servlet spec for more details.
* In addition to the URL-to-role mappings, you also need to define
a <login-config> element to tell the container how to perform
logins when it decides they are necessary.
* When an unauthenticated user accesses a protected resource for
the first time, the container will require the user to log on,
and will then ensure that the user has the appropriate roles to
access this protected resource. The app doesn't have to do a thing
to make this happen (the best feature about CMA).
* If the app *wants* to base its own decisions on authentication and
authorization activities performed by the container, it can gain
access to information about what the container did via several
calls on the HttpServletRequest object: getAuthType(),
getRemoteUser(), getUserPrincipal(), and isUserInRole(). For
example, you might use the latter call to render certain menu
options only if the user is actually a manager:
<logic:present role="manager">
... Show manager-specific options here ...
</logic:present/>
... Show all-user options here ...
If you are using CMA, then, there will be no direct link between Struts
and JAAS -- there will be a link between Struts and your container
(represented by the security constraint and login config elements in your
web.xml file), and a separate link bewteen your container and a JAAS
provider (assuming that your container allows such a thing to be
configured).
(3) Using Application Managed Security
The alternative to using CMA is to take full responsibility for
authentication and authorization upon yourself. From the perspective of
the container, all URLs are unprotected, and no user is ever
authenticated. There is a tremendous amount of flexibility here.
One thing (and possibly confusing) approach to application managed
security, though, is to use the new Filter mechanism (added in Servlet
2.3) to "fake" CMA. In other words, if you embed your security logic into
a filter, that filter can create a request wrapper that returns non-null
values for the CMA-related HttpServletRequest methods. An example of this
is the "securityfilter" project at SourceForge, which can easily be used
in Struts based apps, but is by no means restricted to Struts.
If you use securityfilter (or something like it) with Struts, then you can
utilize Struts-based features that depend on roles (the <logic:present>
tag illustrated above, and the "role" attribute on an <action> element in
struts-config.xml), just as if you were actually using CMA. The only
difference is where the data came from (the container versus the filter).
Keep in mind, though, that you really are faking it -- the container
doesn't know what is going on, so calls to EJBs will be executed as if
they were done by an unauthenticated user (or, in advanced cases, by a
user with whatever role you configure in a <run-as> element).
Hope this makes the relationships a little clearer ...
Craig McClanahan
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org