RE: security framework!!! (Addendum to my previous post)

[as as <sa...@yahoo.com>]

Hi,
Has anyone tried filters framework (<filter> tag in web.xml) in struts for role based access to webpages in a enterprise wide application...deployed in weblogic...we tried this and seems each sub-application needs a differenet, its own web.xml and  a single integrated web.xml..
Any workarounds...
Thanks,
Sam.
(Basically, in our lare web app, we want to allow different users (admin, user, etc) access to different pages (password reset, etc) based on his privileges....
 
Thanks!
 
( I am quoting below.
http://info.borland.com/techpubs/jbuilder/jbuilder8/webapps/webapp_dd_editor.html#filters
that i did find some related info, though)


as as <sa...@yahoo.com> wrote:InteresTing discussion.Is there more website links on the same....

Thanks!

"Craig R. McClanahan" wrote:
(Jumping in late, and trying to catch up on several hundred email messages in my
STRUTS-USER folder, but better late than never ...)

Quoting David Friedman :

> Adam,
> 
> With my structure, I might have to become a particular reseller, then flip
> into a customer of his/hers, then become one of their client accounts to
> look into a reported problem. I worry about login identities for the
> following reasons:
> 
> Using a JAAS login, my principal would be fixed (set in stone) for my
> session. Then, I couldn't be able to use the 'roles' settings inside
> Struts, Tiles, and JSPs to control content.
> 
> Without using a JAAS login, I also become unable to use 'roles' in Tiles and
> JSPs to control content.
> 
> Without having any theories on how to successfully (and without much
> alteration to the package[s]) use roles for Struts, Tiles, and JSPs, I'm at
> a loss how to change my identity/roles
> 
> If I made a filter to wrapper the Request with a HTTPServletRequestWrapper
> object then added my own push/pop/depth methods, I see how I could use roles
> in all of those places.
> 
> Knowing all of the above gory details, do you (or anyone) have any
> suggestions on how to make things cleaner while using roles in all of those
> places with the various levels of control I need to exert (albeit probably
> rarely switching roles) ?
> 

David,

If I understand what you're after correctly, the design you have proposed is
pretty troubling from a security perspective. In particular, consider what
happens if your system is also logging who made what changes (so you can go
audit things later). If users are allowed to impersonate each other, you have
no accountability at all. From a security perspective, it is much better that
each user have a unique individual identity, and that all actions taken by that
individual are associated with that identity.

Going back to your problem, then, have you considered that an individual user
can have more than one role? For example, if you have "manager" and "employee"
roles, you (as a manager) can have *both* of them assigned to your
UserPrincipal, and therefore you can do anything that either a "manager" or an
"employee" can do, while employees cannot execute manager functions. This is
the way roles are typically used in J2EE applications, and it maps just as well
to your five-level hierarchy as it does a two-level one.

> Thanks (to all) for any constructive suggestions,
> David

Craig McCanahan



---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org

Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.

Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.