Has anyone implemented security and authentication in a Struts app?

[Davina and Mac <da...@sympatico.ca>]

Has anybody out there implemented a roles-based security system in a Struts
application? If so, did you use an existing class library or write your own?
It seems to me that relying on container providers for security schemes
makes it almost impossible to write portable applications, and Struts/MVC,
with its single point of access and clearly defined actions would be an
ideal place to implement security...
thoughts anyone?

Mac Ferguson

Re: Has anyone implemented security and authentication in a Struts app?

[David Geary <sa...@tri-lakesonline.net>]

Davina and Mac wrote:

> Has anybody out there implemented a roles-based security system in a Struts
> application? If so, did you use an existing class library or write your own?
> It seems to me that relying on container providers for security schemes
> makes it almost impossible to write portable applications, and Struts/MVC,
> with its single point of access and clearly defined actions would be an
> ideal place to implement security...
> thoughts anyone?

Relying on container provided authentication is, by definition, nonportable. So
you are correct: It is impossible to write a portable application that relies on
container provided authentication.

On the other hand, it's not that hard to bypass servlet containers and write
your own authentication. This is what the Struts example application does with a
CheckLogon custom tag.


david

Re: Has anyone implemented security and authentication in a Struts app?

[David Geary <sa...@tri-lakesonline.net>]

Mihir Parekh wrote:

> role based security is part of servlet 2.2 specs.

That's true.

> So, if you are using servlet
> 2.2 container the application will remain portable.

The servlet specification does not address how to specify users and roles; for
example, Tomcat3.2 specifies them in $TOMCAT_HOME/conf/tomcat-users.xml, which you
edit to suit your application. Resin, on the other hand doesn't have a XML file
like Tomcat does, so you must write some code (by implementing an Authenticator)
to specify users and roles. The bottom line is that you must specify users and
roles in a nonportable way.

It gets worse, from a portability standpoint, when you consider that the servlet
specification does not provide setter methods for user principals and roles. That
restriction means that only servlet containers can set user principals and roles.
Most servlet containers provide an API to set them, but use of that API is
obviously nonportable.

The only way to ensure portability is to implement authentication from scratch,
including support for user principals and roles, if you need them. Fortunately,
it's not that difficult to do.


david


> Mihir
>
> Davina and Mac wrote:
>
> > Has anybody out there implemented a roles-based security system in a Struts
> > application? If so, did you use an existing class library or write your own?
> > It seems to me that relying on container providers for security schemes
> > makes it almost impossible to write portable applications, and Struts/MVC,
> > with its single point of access and clearly defined actions would be an
> > ideal place to implement security...
> > thoughts anyone?
> >
> > Mac Ferguson

Re: Has anyone implemented security and authentication in a Struts app?

[Mihir Parekh <mi...@appliedcommerce.com>]

role based security is part of servlet 2.2 specs. So, if you are using servlet
2.2 container the application will remain portable.

Mihir

Davina and Mac wrote:

> Has anybody out there implemented a roles-based security system in a Struts
> application? If so, did you use an existing class library or write your own?
> It seems to me that relying on container providers for security schemes
> makes it almost impossible to write portable applications, and Struts/MVC,
> with its single point of access and clearly defined actions would be an
> ideal place to implement security...
> thoughts anyone?
>
> Mac Ferguson