You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Alberto A. Flores" <aa...@gmail.com> on 2008/05/13 20:46:42 UTC
Spring Security and Struts2 Using tiles
Folks,
My understanding is that Spring Security does not secure resources on
*forwards* (I believe tiles2 do forward/chaining). In an application
using Struts2, Spring and Tiles2, these forwards work just fine. Has
anyone had success using these three frameworks together using Spring
Security? I tried it today and It turned out that the security tag
(http://www.springframework/security/tags/):
<security:authorization property="principal.username"/>
never fetches anything. Furthermore, the code:
SecurityContextHolder.getContext().getAuthentication()
returns null (in the forwarded jsp page). Has anyone know what to do in
this case? I'm beginning to think I can not use Spring Security at all.
Regards,
--
Alberto A. Flores
http://www.linkedin.com/in/aflores
Re: Spring Security and Struts2 Using tiles
Posted by "Alberto A. Flores" <aa...@gmail.com>.
After further testing, it looks like even without tiles, the strut2
action mapping is not secured with Acegi/Spring Security (as of version
2.0.1, Struts version 2.0.11). As far as I can tell, it has to do with
the FilterDispatcher (Struts2) always forwarding to ActionProxy class to
process work (hence the Spring Security Filter never knows of the request)
Antonio Petrelli wrote:
> 2008/5/13 Alberto A. Flores <aa...@gmail.com>:
>> I would, but it seems to me like there is little that can be done on the
>> Struts2 side (unless a plugin of some sort is written). Essentially, when
>> control is forwarded to the tile, Spring security can not do much (or maybe
>> I'm missing something).
>
> I see...
>
>> The Spring Security team is well aware of (as far as forwards), that
>> resources are not secured on forwards (which sucks, really, unless I'm doing
>> something terribly wrong).
>
> Great, at least the bug is not at Struts or Tiles side :-)
>
>> I'll see if I can create a subset of my current app describing the problem.
>> Probably would post a war file? Is that what you meant?
>
> Exactly, with the source.
>
> Antonio
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
Alberto A. Flores
http://www.linkedin.com/in/aflores
Re: Spring Security and Struts2 Using tiles
Posted by Antonio Petrelli <an...@gmail.com>.
2008/5/13 Alberto A. Flores <aa...@gmail.com>:
> I would, but it seems to me like there is little that can be done on the
> Struts2 side (unless a plugin of some sort is written). Essentially, when
> control is forwarded to the tile, Spring security can not do much (or maybe
> I'm missing something).
I see...
> The Spring Security team is well aware of (as far as forwards), that
> resources are not secured on forwards (which sucks, really, unless I'm doing
> something terribly wrong).
Great, at least the bug is not at Struts or Tiles side :-)
> I'll see if I can create a subset of my current app describing the problem.
> Probably would post a war file? Is that what you meant?
Exactly, with the source.
Antonio
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Spring Security and Struts2 Using tiles
Posted by "Alberto A. Flores" <aa...@gmail.com>.
I would, but it seems to me like there is little that can be done on the
Struts2 side (unless a plugin of some sort is written). Essentially,
when control is forwarded to the tile, Spring security can not do much
(or maybe I'm missing something).
The Spring Security team is well aware of (as far as forwards), that
resources are not secured on forwards (which sucks, really, unless I'm
doing something terribly wrong).
I'll see if I can create a subset of my current app describing the
problem. Probably would post a war file? Is that what you meant?
Antonio Petrelli wrote:
> 2008/5/13 Alberto A. Flores <aa...@gmail.com>:
>> I don't thinks that's possible as the Struts2 result would be something
>> like:
>>
>> <result type="tiles" name="foo">my.tile</result>
>>
>> In here, I don't have access to the forward.
>
> Mmm... it's starting to be complicated, and I think that there is a
> bug somewhere.
> Can you open a JIRA issue, attaching, if possible, a sample web application?
>
> http://issues.apache.org/struts
>
> Antonio
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
Alberto A. Flores
http://www.linkedin.com/in/aflores
Re: Spring Security and Struts2 Using tiles
Posted by Antonio Petrelli <an...@gmail.com>.
2008/5/13 Alberto A. Flores <aa...@gmail.com>:
> I don't thinks that's possible as the Struts2 result would be something
> like:
>
> <result type="tiles" name="foo">my.tile</result>
>
> In here, I don't have access to the forward.
Mmm... it's starting to be complicated, and I think that there is a
bug somewhere.
Can you open a JIRA issue, attaching, if possible, a sample web application?
http://issues.apache.org/struts
Antonio
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Spring Security and Struts2 Using tiles
Posted by "Alberto A. Flores" <aa...@gmail.com>.
I don't thinks that's possible as the Struts2 result would be something
like:
<result type="tiles" name="foo">my.tile</result>
In here, I don't have access to the forward.
Antonio Petrelli wrote:
> 2008/5/13 Alberto A. Flores <aa...@gmail.com>:
>> My understanding is that Spring Security does not secure resources on
>> *forwards* (I believe tiles2 do forward/chaining).
>
> Forwards and includes, that's where I think there may be a fault.
> Can you try if, using simple <jsp:include> tags, the security tags work?
>
> Antonio
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
Alberto A. Flores
http://www.linkedin.com/in/aflores
Re: Spring Security and Struts2 Using tiles
Posted by Antonio Petrelli <an...@gmail.com>.
2008/5/13 Alberto A. Flores <aa...@gmail.com>:
> My understanding is that Spring Security does not secure resources on
> *forwards* (I believe tiles2 do forward/chaining).
Forwards and includes, that's where I think there may be a fault.
Can you try if, using simple <jsp:include> tags, the security tags work?
Antonio
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Spring Security and Struts2 Using tiles
Posted by "Alberto A. Flores" <aa...@gmail.com>.
I had to put those efforts on the side as it was in a prototype and
proof of concept phase. However, I have just began (today) to officially
make serious effort into making it work (if at all possible) for our
project. I should have a better answer by the end of the day... but any
feedback would be much appreciated...
JerryK wrote:
> I was able to get this working with Acegi, by setting the Dispatcher property
> in web.xml
> <url-pattern>/*</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> <dispatcher>INCLUDE</dispatcher>
> <dispatcher>FORWARD</dispatcher>
> </filter-mapping>
>
> But, now when i try this with Spring Security 2.0.1, i am facing the same
> problem as you have described here. Have you found any solution so far?
>
>
>
> Alberto A. Flores wrote:
>> Folks,
>>
>> My understanding is that Spring Security does not secure resources on
>> *forwards* (I believe tiles2 do forward/chaining). In an application
>> using Struts2, Spring and Tiles2, these forwards work just fine. Has
>> anyone had success using these three frameworks together using Spring
>> Security? I tried it today and It turned out that the security tag
>> (http://www.springframework/security/tags/):
>>
>> <security:authorization property="principal.username"/>
>>
>> never fetches anything. Furthermore, the code:
>>
>> SecurityContextHolder.getContext().getAuthentication()
>>
>> returns null (in the forwarded jsp page). Has anyone know what to do in
>> this case? I'm beginning to think I can not use Spring Security at all.
>>
>> Regards,
>>
>> --
>>
>> Alberto A. Flores
>> http://www.linkedin.com/in/aflores
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>
--
Alberto A. Flores
http://www.linkedin.com/in/aflores
Re: Spring Security and Struts2 Using tiles
Posted by JerryK <je...@oceanustech.net>.
I was able to get this working with Acegi, by setting the Dispatcher property
in web.xml
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
But, now when i try this with Spring Security 2.0.1, i am facing the same
problem as you have described here. Have you found any solution so far?
Alberto A. Flores wrote:
>
> Folks,
>
> My understanding is that Spring Security does not secure resources on
> *forwards* (I believe tiles2 do forward/chaining). In an application
> using Struts2, Spring and Tiles2, these forwards work just fine. Has
> anyone had success using these three frameworks together using Spring
> Security? I tried it today and It turned out that the security tag
> (http://www.springframework/security/tags/):
>
> <security:authorization property="principal.username"/>
>
> never fetches anything. Furthermore, the code:
>
> SecurityContextHolder.getContext().getAuthentication()
>
> returns null (in the forwarded jsp page). Has anyone know what to do in
> this case? I'm beginning to think I can not use Spring Security at all.
>
> Regards,
>
> --
>
> Alberto A. Flores
> http://www.linkedin.com/in/aflores
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
--
View this message in context: http://www.nabble.com/Spring-Security-and-Struts2-Using-tiles-tp17215700p18182388.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org