You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by wild_oscar <mi...@almeida.at> on 2007/08/24 12:29:28 UTC

JAAS and S2 - how do they interact?

Following up on my quest for Authentication and Authorization in web apps, I
found out two approaches with JAAS.

The first one is described here: 
http://www.jroller.com/tomdz/entry/using_jaas_with_struts_a
http://www.jroller.com/tomdz/entry/using_jaas_with_struts_a 

and it basically involves defining a JAASRealm in Tomcat and putting it in
server.xml, defining a webpage for login and configuring all in the web.xml
file: defining <security-constraint>, <login-config> and <security-role>.

What I think is the second alternative involves defining interceptors, such
as the Login Interceptor Mark Mernards describes on his blog (
http://www.vitarara.org/cms/struts_2_cookbook/creating_a_login_interceptor
Mark's post on Login interceptors ) and/or filters, such as a ServletFilter
that wraps the HttpServletRequest with a class that implements the
isUserInRole method, as described by Josh Vickery on this mailing list (
http://www.nabble.com/-S2--populating-user-roles-tf3675880.html#a10271654
Josh's input .

Being completely lost on the subject, my questions are: 

1) are the two incompatible? 
2) Having achieved authentication with a JAAS module successfully, what is
the best way to achieve authorization now, using Struts2? Not having written
the application yet, I am figuring I'll need both business authorization (in
actions, for example) and view authorization (tags rendered or hidden based
on user's role).

After authentication, the subject is stored on the httpSession like this:
			HttpSession session = request.getSession();
    			session.setAttribute("subject_key", lc.getSubject());

Thank you very much for all the input!

-- 
View this message in context: http://www.nabble.com/JAAS-and-S2---how-do-they-interact--tf4322845.html#a12309971
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org