Spring Security and Struts2 Using tiles

["Alberto A. Flores" <aa...@gmail.com>]

Folks,

My understanding is that Spring Security does not secure resources on 
*forwards* (I believe tiles2 do forward/chaining). In an application 
using Struts2, Spring and Tiles2, these forwards work just fine. Has 
anyone had success using these three frameworks together using Spring 
Security? I tried it today and It turned out that the security tag 
(http://www.springframework/security/tags/):

   <security:authorization property="principal.username"/>

never fetches anything. Furthermore, the code:

   SecurityContextHolder.getContext().getAuthentication()

returns null (in the forwarded jsp page). Has anyone know what to do in 
this case? I'm beginning to think I can not use Spring Security at all.

Regards,

-- 

Alberto A. Flores
http://www.linkedin.com/in/aflores

Re: Spring Security and Struts2 Using tiles

["Alberto A. Flores" <aa...@gmail.com>]

After further testing, it looks like even without tiles, the strut2 
action mapping is not secured with Acegi/Spring Security (as of version 
2.0.1, Struts version 2.0.11). As far as I can tell, it has to do with 
the FilterDispatcher (Struts2) always forwarding to ActionProxy class to 
process work (hence the Spring Security Filter never knows of the request)

Antonio Petrelli wrote:
> 2008/5/13 Alberto A. Flores <aa...@gmail.com>:
>> I would, but it seems to me like there is little that can be done on the
>> Struts2 side (unless a plugin of some sort is written). Essentially, when
>> control is forwarded to the tile, Spring security can not do much (or maybe
>> I'm missing something).
> 
> I see...
> 
>>  The Spring Security team is well aware of (as far as forwards), that
>> resources are not secured on forwards (which sucks, really, unless I'm doing
>> something terribly wrong).
> 
> Great, at least the bug is not at Struts or Tiles side :-)
> 
>>  I'll see if I can create a subset of my current app describing the problem.
>> Probably would post a war file? Is that what you meant?
> 
> Exactly, with the source.
> 
> Antonio
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 

-- 

Alberto A. Flores
http://www.linkedin.com/in/aflores

Re: Spring Security and Struts2 Using tiles

[Antonio Petrelli <an...@gmail.com>]

2008/5/13 Alberto A. Flores <aa...@gmail.com>:
> I would, but it seems to me like there is little that can be done on the
> Struts2 side (unless a plugin of some sort is written). Essentially, when
> control is forwarded to the tile, Spring security can not do much (or maybe
> I'm missing something).

I see...

>  The Spring Security team is well aware of (as far as forwards), that
> resources are not secured on forwards (which sucks, really, unless I'm doing
> something terribly wrong).

Great, at least the bug is not at Struts or Tiles side :-)

>  I'll see if I can create a subset of my current app describing the problem.
> Probably would post a war file? Is that what you meant?

Exactly, with the source.

Antonio

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Spring Security and Struts2 Using tiles

["Alberto A. Flores" <aa...@gmail.com>]

I would, but it seems to me like there is little that can be done on the 
Struts2 side (unless a plugin of some sort is written). Essentially, 
when control is forwarded to the tile, Spring security can not do much 
(or maybe I'm missing something).

The Spring Security team is well aware of (as far as forwards), that 
resources are not secured on forwards (which sucks, really, unless I'm 
doing something terribly wrong).

I'll see if I can create a subset of my current app describing the 
problem. Probably would post a war file? Is that what you meant?


Antonio Petrelli wrote:
> 2008/5/13 Alberto A. Flores <aa...@gmail.com>:
>> I don't thinks that's possible as the Struts2 result would be something
>> like:
>>
>>  <result type="tiles" name="foo">my.tile</result>
>>
>>  In here, I don't have access to the forward.
> 
> Mmm... it's starting to be complicated, and I think that there is a
> bug somewhere.
> Can you open a JIRA issue, attaching, if possible, a sample web application?
> 
> http://issues.apache.org/struts
> 
> Antonio
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 

-- 

Alberto A. Flores
http://www.linkedin.com/in/aflores

Re: Spring Security and Struts2 Using tiles

[Antonio Petrelli <an...@gmail.com>]

2008/5/13 Alberto A. Flores <aa...@gmail.com>:
> I don't thinks that's possible as the Struts2 result would be something
> like:
>
>  <result type="tiles" name="foo">my.tile</result>
>
>  In here, I don't have access to the forward.

Mmm... it's starting to be complicated, and I think that there is a
bug somewhere.
Can you open a JIRA issue, attaching, if possible, a sample web application?

http://issues.apache.org/struts

Antonio

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Spring Security and Struts2 Using tiles

["Alberto A. Flores" <aa...@gmail.com>]

I don't thinks that's possible as the Struts2 result would be something 
like:

<result type="tiles" name="foo">my.tile</result>

In here, I don't have access to the forward.

Antonio Petrelli wrote:
> 2008/5/13 Alberto A. Flores <aa...@gmail.com>:
>>  My understanding is that Spring Security does not secure resources on
>> *forwards* (I believe tiles2 do forward/chaining).
> 
> Forwards and includes, that's where I think there may be a fault.
> Can you try if, using simple <jsp:include> tags, the security tags work?
> 
> Antonio
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 

-- 

Alberto A. Flores
http://www.linkedin.com/in/aflores

Re: Spring Security and Struts2 Using tiles

[Antonio Petrelli <an...@gmail.com>]

2008/5/13 Alberto A. Flores <aa...@gmail.com>:
>  My understanding is that Spring Security does not secure resources on
> *forwards* (I believe tiles2 do forward/chaining).

Forwards and includes, that's where I think there may be a fault.
Can you try if, using simple <jsp:include> tags, the security tags work?

Antonio

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Spring Security and Struts2 Using tiles

["Alberto A. Flores" <aa...@gmail.com>]

I had to put those efforts on the side as it was in a prototype and 
proof of concept phase. However, I have just began (today) to officially 
make serious effort into making it work (if at all possible) for our 
project. I should have a better answer by the end of the day... but any 
feedback would be much appreciated...


JerryK wrote:
> I was able to get this working with Acegi, by setting the Dispatcher property
> in web.xml
>     <url-pattern>/*</url-pattern>
>         <dispatcher>REQUEST</dispatcher>
>         <dispatcher>INCLUDE</dispatcher>
>         <dispatcher>FORWARD</dispatcher>
> 	</filter-mapping>
> 
> But, now when i try this with Spring Security 2.0.1, i am facing the same
> problem as you have described here. Have you found any solution so far?
> 
> 
> 
> Alberto A. Flores wrote:
>> Folks,
>>
>> My understanding is that Spring Security does not secure resources on 
>> *forwards* (I believe tiles2 do forward/chaining). In an application 
>> using Struts2, Spring and Tiles2, these forwards work just fine. Has 
>> anyone had success using these three frameworks together using Spring 
>> Security? I tried it today and It turned out that the security tag 
>> (http://www.springframework/security/tags/):
>>
>>    <security:authorization property="principal.username"/>
>>
>> never fetches anything. Furthermore, the code:
>>
>>    SecurityContextHolder.getContext().getAuthentication()
>>
>> returns null (in the forwarded jsp page). Has anyone know what to do in 
>> this case? I'm beginning to think I can not use Spring Security at all.
>>
>> Regards,
>>
>> -- 
>>
>> Alberto A. Flores
>> http://www.linkedin.com/in/aflores
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
> 

-- 

Alberto A. Flores
http://www.linkedin.com/in/aflores

Re: Spring Security and Struts2 Using tiles

[JerryK <je...@oceanustech.net>]

I was able to get this working with Acegi, by setting the Dispatcher property
in web.xml
    <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>FORWARD</dispatcher>
	</filter-mapping>

But, now when i try this with Spring Security 2.0.1, i am facing the same
problem as you have described here. Have you found any solution so far?



Alberto A. Flores wrote:
> 
> Folks,
> 
> My understanding is that Spring Security does not secure resources on 
> *forwards* (I believe tiles2 do forward/chaining). In an application 
> using Struts2, Spring and Tiles2, these forwards work just fine. Has 
> anyone had success using these three frameworks together using Spring 
> Security? I tried it today and It turned out that the security tag 
> (http://www.springframework/security/tags/):
> 
>    <security:authorization property="principal.username"/>
> 
> never fetches anything. Furthermore, the code:
> 
>    SecurityContextHolder.getContext().getAuthentication()
> 
> returns null (in the forwarded jsp page). Has anyone know what to do in 
> this case? I'm beginning to think I can not use Spring Security at all.
> 
> Regards,
> 
> -- 
> 
> Alberto A. Flores
> http://www.linkedin.com/in/aflores
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 

-- 
View this message in context: http://www.nabble.com/Spring-Security-and-Struts2-Using-tiles-tp17215700p18182388.html
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org