Re: Jakarta Regexp Package Issue

[David Winterfeldt <dw...@yahoo.com>]

I'm planning on switching this over tonight.  I'm
ready to check in the changes to Commons Validator. 
The unit test I made shows that changing this fixes
one of the e-mail bugs.  I'll also switch Struts to
use ORO too.

David

--- Martin Cooper <ma...@tumbleweed.com>
wrote:
> I have no problem with switching to ORO. Then again,
> I must confess to
> having no great knowledge of either package
> (although I do use Regexp on one
> of my projects). It's interesting that Regexp should
> be considered lighter -
> it's a significantly larger download than ORO!
> 
> I don't think we should allow the user to choose. It
> would be confusing to
> the user, and also to us when trying to track down
> problems and subtle
> differences in behaviour.
> 
> --
> Martin Cooper
> 
> 
> ----- Original Message -----
> From: "David Winterfeldt" <dw...@yahoo.com>
> To: "Struts Developers List"
> <st...@jakarta.apache.org>
> Sent: Friday, March 22, 2002 7:56 AM
> Subject: Jakarta Regexp Package Issue
> 
> 
> > I'm reposting this.  It might be easily missed
> since I
> > forwarded the bug for this that I filed.
> >
> > Email Validation doesn't allow '-' in address. 
> This
> > is an error in the Jakarta Regexp package.  It
> also
> > has trouble with large max values.
> >    ex: ^\d{2,1000}$
> >
> > Does anyone think we should just switch to ORO? 
> I'm
> > leaning that way, but I used Jakarta Regexp
> because it
> > was considered 'lighter'.  If it isn't completely
> > reliable, that doesn't really matter.  Or we could
> > include both as an option, but I don't want to
> confuse
> > anyone.
> >
> > David
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Movies - coverage of the 74th Academy
> Awards�
> > http://movies.yahoo.com/
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
> 
> 
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> 


__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - send holiday greetings for Easter, Passover
http://greetings.yahoo.com/

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Session Scope Question

["Craig R. McClanahan" <cr...@apache.org>]

On Tue, 2 Apr 2002, Bob Lee wrote:

> Date: Tue, 2 Apr 2002 11:18:42 -0600
> From: Bob Lee <cr...@crazybob.org>
> Reply-To: Struts Developers List <st...@jakarta.apache.org>
> To: Struts Developers List <st...@jakarta.apache.org>
> Subject: Re: Session Scope Question
>
> That's what I was afraid of. Is it possible to manually control which action
> form instance gets used? For example, rather than pass all of the data from
> page to page, pass an instance id that gets created when the user first
> enters the form.
>

There is no machinery to do this for session-based form beans, and it
would be very complex to implement (how do you tell each individual
request accessing the same session which id to use?).  That's why I
continue to encourage using request-based form beans instead, because each
request gets it's own instance -- the fact that the name is the same does
not matter.

> Thanks,
> Bob

Craig


>
> ----- Original Message -----
> From: "Craig R. McClanahan" <cr...@apache.org>
> To: "Struts Developers List" <st...@jakarta.apache.org>
> Sent: Tuesday, April 02, 2002 11:04 AM
> Subject: Re: Session Scope Question
>
>
> >
> >
> > On Tue, 2 Apr 2002, Bob Lee wrote:
> >
> > > Date: Tue, 2 Apr 2002 10:24:50 -0600
> > > From: Bob Lee <cr...@crazybob.org>
> > > Reply-To: Struts Developers List <st...@jakarta.apache.org>
> > > To: Struts Developers List <st...@jakarta.apache.org>
> > > Subject: Session Scope Question
> > >
> > > The user guide says that if you use "session" scope, Struts will use the
> > > "name" attribute from the "form-bean" element to key the instance. Does
> > > Struts add something else to the key to prevent concurrent modification?
> For
> > > example, if the user has two windows open and starts two different
> instances
> > > of the same form, will the two instances modify the same ActionForm
> instance
> > > in the session?
> > >
> >
> > No -- you've got the same multithread issues here that you do with
> > session-scoped attributes in general.  If your app is going to have cases
> > where the same form bean is used on more than one frame (or window) at the
> > same time, in the same session, I'd definitely architect things to use
> > request scope instead.
> >
> > > Thanks,
> > > Bob
> > >
> >
> > Craig
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Session Scope Question

[Bob Lee <cr...@crazybob.org>]

That's what I was afraid of. Is it possible to manually control which action
form instance gets used? For example, rather than pass all of the data from
page to page, pass an instance id that gets created when the user first
enters the form.

Thanks,
Bob

----- Original Message -----
From: "Craig R. McClanahan" <cr...@apache.org>
To: "Struts Developers List" <st...@jakarta.apache.org>
Sent: Tuesday, April 02, 2002 11:04 AM
Subject: Re: Session Scope Question


>
>
> On Tue, 2 Apr 2002, Bob Lee wrote:
>
> > Date: Tue, 2 Apr 2002 10:24:50 -0600
> > From: Bob Lee <cr...@crazybob.org>
> > Reply-To: Struts Developers List <st...@jakarta.apache.org>
> > To: Struts Developers List <st...@jakarta.apache.org>
> > Subject: Session Scope Question
> >
> > The user guide says that if you use "session" scope, Struts will use the
> > "name" attribute from the "form-bean" element to key the instance. Does
> > Struts add something else to the key to prevent concurrent modification?
For
> > example, if the user has two windows open and starts two different
instances
> > of the same form, will the two instances modify the same ActionForm
instance
> > in the session?
> >
>
> No -- you've got the same multithread issues here that you do with
> session-scoped attributes in general.  If your app is going to have cases
> where the same form bean is used on more than one frame (or window) at the
> same time, in the same session, I'd definitely architect things to use
> request scope instead.
>
> > Thanks,
> > Bob
> >
>
> Craig
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Session Scope Question

["Craig R. McClanahan" <cr...@apache.org>]

On Tue, 2 Apr 2002, Bob Lee wrote:

> Date: Tue, 2 Apr 2002 10:24:50 -0600
> From: Bob Lee <cr...@crazybob.org>
> Reply-To: Struts Developers List <st...@jakarta.apache.org>
> To: Struts Developers List <st...@jakarta.apache.org>
> Subject: Session Scope Question
>
> The user guide says that if you use "session" scope, Struts will use the
> "name" attribute from the "form-bean" element to key the instance. Does
> Struts add something else to the key to prevent concurrent modification? For
> example, if the user has two windows open and starts two different instances
> of the same form, will the two instances modify the same ActionForm instance
> in the session?
>

No -- you've got the same multithread issues here that you do with
session-scoped attributes in general.  If your app is going to have cases
where the same form bean is used on more than one frame (or window) at the
same time, in the same session, I'd definitely architect things to use
request scope instead.

> Thanks,
> Bob
>

Craig


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Session Scope Question

[Bob Lee <cr...@crazybob.org>]

The user guide says that if you use "session" scope, Struts will use the
"name" attribute from the "form-bean" element to key the instance. Does
Struts add something else to the key to prevent concurrent modification? For
example, if the user has two windows open and starts two different instances
of the same form, will the two instances modify the same ActionForm instance
in the session?

Thanks,
Bob


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Jakarta Regexp Package Issue

[David Winterfeldt <dw...@yahoo.com>]

I checked in the changes in Commons Validator and
Struts to use Jakarta ORO.

David

--- David Winterfeldt <dw...@yahoo.com> wrote:
> I'm planning on switching this over tonight.  I'm
> ready to check in the changes to Commons Validator. 
> The unit test I made shows that changing this fixes
> one of the e-mail bugs.  I'll also switch Struts to
> use ORO too.
> 
> David
> 
> --- Martin Cooper <ma...@tumbleweed.com>
> wrote:
> > I have no problem with switching to ORO. Then
> again,
> > I must confess to
> > having no great knowledge of either package
> > (although I do use Regexp on one
> > of my projects). It's interesting that Regexp
> should
> > be considered lighter -
> > it's a significantly larger download than ORO!
> > 
> > I don't think we should allow the user to choose.
> It
> > would be confusing to
> > the user, and also to us when trying to track down
> > problems and subtle
> > differences in behaviour.
> > 
> > --
> > Martin Cooper
> > 
> > 
> > ----- Original Message -----
> > From: "David Winterfeldt" <dw...@yahoo.com>
> > To: "Struts Developers List"
> > <st...@jakarta.apache.org>
> > Sent: Friday, March 22, 2002 7:56 AM
> > Subject: Jakarta Regexp Package Issue
> > 
> > 
> > > I'm reposting this.  It might be easily missed
> > since I
> > > forwarded the bug for this that I filed.
> > >
> > > Email Validation doesn't allow '-' in address. 
> > This
> > > is an error in the Jakarta Regexp package.  It
> > also
> > > has trouble with large max values.
> > >    ex: ^\d{2,1000}$
> > >
> > > Does anyone think we should just switch to ORO? 
> > I'm
> > > leaning that way, but I used Jakarta Regexp
> > because it
> > > was considered 'lighter'.  If it isn't
> completely
> > > reliable, that doesn't really matter.  Or we
> could
> > > include both as an option, but I don't want to
> > confuse
> > > anyone.
> > >
> > > David
> > >
> > >
> > >
> > >
> __________________________________________________
> > > Do You Yahoo!?
> > > Yahoo! Movies - coverage of the 74th Academy
> > Awards�
> > > http://movies.yahoo.com/
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > >
> > 
> > 
> > --
> > To unsubscribe, e-mail:  
> > <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Greetings - send holiday greetings for
> Easter, Passover
> http://greetings.yahoo.com/
> 
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> 


__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://http://taxes.yahoo.com/

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Security Solution

["Dr. BaTien Duong" <ba...@dbgroups.com>]

Please post and/or send 1 copy to me. Thanks.

----- Original Message -----
From: "Phase Web and Multimedia" <ma...@phase.ws>
To: "Struts User" <st...@jakarta.apache.org>; "Struts Developers List"
<st...@jakarta.apache.org>
Sent: Monday, April 01, 2002 11:49 AM
Subject: Security Solution


> Greetings,
>
> I wanted to offer some code if anyone is interested. I have seen many
> discuss security on archives and wanted to offer an alternative to
container
> managed security.
>
> I spent some time weighing out whether to use container managed security
or
> not and came to the conclusion that I would use a filter for security.
There
> were several inflexibilities in the spec for container managed security. I
> wrote a security filter that functions very similar to container managed
> security. It has an xml config file that is used to protect urls. There
are
> a few differences in the config and how you define protected areas and
where
> you are directed.
>
> Basically there are three areas of greater flexibility.
>
> 1) you can define several security-constraint groups with different login
> pages.
> 2) you can login easily without having to hit a secure page first
> 3) you can set up an app specific security realm. (This can also be
> considered a limitation if you are maintaining cross context security, but
> you could easily tie into a larger security system if this is needed)
>
> Anyways, it is not the "standard" but it functions well and gives greater
> freedom. I found container managed security to be a greater "hack" job
when
> I wanted to accomplish my goals. If anybody is interested I can post it
for
> review. It is certainly not mature and the code is fit for my current
> situation with an eye to greater flexibility. I think that it could
provide
> a good starting point for a cross-container simple alternate solution to
the
> current container managed security.
>
> P.S. I have to improve the documentation :-)
>
> Thanks for your time,
> Brandon Goodin
> Phase Web and Multimedia
> P (406) 862-2245
> F (406) 862-0354
> mail@phase.ws
> http://www.phase.ws
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Security Solution

[Phase Web and Multimedia <ma...@phase.ws>]

In reponse:

1) The use of this security solution is confined (at this point) to a
context in a host. Most of the time there is only one context per host.

2) It is a non-standard way of providing security checks. Many of the built
in role checking that is in struts/tiles and the programmatic security
checking would not be available. Although syntactically it would function
the same it would have no ties to the container managed security.

3) A servlet 2.3 compliant container with struts is necessary. It uses a
filter as the url guardian. I am sure the filter could be extracted and
tweaked to work in other situations other than struts.

4) There are a few options. There is container based security or you can
roll your own. Security has been (imho) a severly neglected area. As a
designer/developer I find it to be a pain in the butt that one is limited to
a single login page for all security constraints. This is the imposed
standard. Much of the way security is set up flys in the face of easy end
user interaction. Container managed security lacks the ability to login or
remain logged in. This is fairly absured imho. Others have developed front
end checks that work in conjunction with container managed security which
perform slight of hand logins. For example. if you want to use container
managed security you could initially redirect to a secure url that forwards
to an struts action or a servlet which first checks to see if a cookie
exists, then gathers u/p from the cookie and logs in and forwards to the
homepage. If a login is not found you can wait until someone hits a secure
url and forward them to the action login page. This smells like hackage.

5) If you want a list of competitive features read the other emails I have
posted to the list and read the servlet 2.3 spec. I am trying to get some
people thinking about intuitive security. I don't claim to have the answer
in my group of classes. I just claim to have a bit more flexibility. I don't
have any EJB or cross context fuctionality. Which other features do and of
course is of high value to many. So, I believe you can get a good idea for
what I have done by reading other posts with the same title as this article.

Let me know what you learn. If you have any contributions suggestions. I
would appreciate it. I don't claim to know anything much less everything :-)

Hope this helps,
Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
mail@phase.ws
http://www.phase.ws


-----Original Message-----
From: Neil Pitman [mailto:npitman@interlink.net]
Sent: Monday, April 01, 2002 1:31 PM
To: Struts Users Mailing List
Cc: Struts Developers List
Subject: Re: Security Solution


Hello Brandon,

This might be interesting to me, but then I'm a newbie so I'm not sure
whether I should be interested.

As an alternative to posting sources here, you could create a project on
SourceForge.net.  It would relieve this list of the specific traffic.

One aspect of documentation that I find particularly lacking is an
"appropriateness" section.  I expect it to be missing in commercial
documentation (because no one wants to lose a sale).  I have been
searching open source for the last few months.  I really have to dig
into each project to understand whether it is appropriate.

Could you provide:
1) indications for use
2) contra-indications against use
3) known complementary technologies (those it depends upon, those that
depend on it, those with a synergistic relationship)
4) known competative technologies (ones where I have to choose the one
feature set or another)
5) a comparative feature list (including versions of competitors).

Ok, it sounds like I want a month of the marketing department.  A line
or two would suffice.  Indeed, "unknown" would help - it would at least
tell me that I'm on my own.


Phase Web and Multimedia wrote:

> Greetings,
>
> I wanted to offer some code if anyone is interested. I have seen many
> discuss security on archives and wanted to offer an alternative to
container
> managed security.
>
> I spent some time weighing out whether to use container managed security
or
> not and came to the conclusion that I would use a filter for security.
There
> were several inflexibilities in the spec for container managed security. I
> wrote a security filter that functions very similar to container managed
> security. It has an xml config file that is used to protect urls. There
are
> a few differences in the config and how you define protected areas and
where
> you are directed.
>
> Basically there are three areas of greater flexibility.
>
> 1) you can define several security-constraint groups with different login
> pages.
> 2) you can login easily without having to hit a secure page first
> 3) you can set up an app specific security realm. (This can also be
> considered a limitation if you are maintaining cross context security, but
> you could easily tie into a larger security system if this is needed)
>
> Anyways, it is not the "standard" but it functions well and gives greater
> freedom. I found container managed security to be a greater "hack" job
when
> I wanted to accomplish my goals. If anybody is interested I can post it
for
> review. It is certainly not mature and the code is fit for my current
> situation with an eye to greater flexibility. I think that it could
provide
> a good starting point for a cross-container simple alternate solution to
the
> current container managed security.
>
> P.S. I have to improve the documentation :-)
>
> Thanks for your time,
> Brandon Goodin
> Phase Web and Multimedia
> P (406) 862-2245
> F (406) 862-0354
> mail@phase.ws
> http://www.phase.ws
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>


--
Neil Pitman
npitman@interlink.net
+1.514.863.5465


--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Security Solution

[Neil Pitman <np...@interlink.net>]

Hello Brandon,

This might be interesting to me, but then I'm a newbie so I'm not sure 
whether I should be interested.

As an alternative to posting sources here, you could create a project on 
SourceForge.net.  It would relieve this list of the specific traffic.

One aspect of documentation that I find particularly lacking is an 
"appropriateness" section.  I expect it to be missing in commercial 
documentation (because no one wants to lose a sale).  I have been 
searching open source for the last few months.  I really have to dig 
into each project to understand whether it is appropriate.

Could you provide:
1) indications for use
2) contra-indications against use
3) known complementary technologies (those it depends upon, those that 
depend on it, those with a synergistic relationship)
4) known competative technologies (ones where I have to choose the one 
feature set or another)
5) a comparative feature list (including versions of competitors).

Ok, it sounds like I want a month of the marketing department.  A line 
or two would suffice.  Indeed, "unknown" would help - it would at least 
tell me that I'm on my own.


Phase Web and Multimedia wrote:

> Greetings,
> 
> I wanted to offer some code if anyone is interested. I have seen many
> discuss security on archives and wanted to offer an alternative to container
> managed security.
> 
> I spent some time weighing out whether to use container managed security or
> not and came to the conclusion that I would use a filter for security. There
> were several inflexibilities in the spec for container managed security. I
> wrote a security filter that functions very similar to container managed
> security. It has an xml config file that is used to protect urls. There are
> a few differences in the config and how you define protected areas and where
> you are directed.
> 
> Basically there are three areas of greater flexibility.
> 
> 1) you can define several security-constraint groups with different login
> pages.
> 2) you can login easily without having to hit a secure page first
> 3) you can set up an app specific security realm. (This can also be
> considered a limitation if you are maintaining cross context security, but
> you could easily tie into a larger security system if this is needed)
> 
> Anyways, it is not the "standard" but it functions well and gives greater
> freedom. I found container managed security to be a greater "hack" job when
> I wanted to accomplish my goals. If anybody is interested I can post it for
> review. It is certainly not mature and the code is fit for my current
> situation with an eye to greater flexibility. I think that it could provide
> a good starting point for a cross-container simple alternate solution to the
> current container managed security.
> 
> P.S. I have to improve the documentation :-)
> 
> Thanks for your time,
> Brandon Goodin
> Phase Web and Multimedia
> P (406) 862-2245
> F (406) 862-0354
> mail@phase.ws
> http://www.phase.ws
> 
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
> 
> 


-- 
Neil Pitman
npitman@interlink.net
+1.514.863.5465


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Security Solution

[Neil Pitman <np...@interlink.net>]

Hello Brandon,

This might be interesting to me, but then I'm a newbie so I'm not sure 
whether I should be interested.

As an alternative to posting sources here, you could create a project on 
SourceForge.net.  It would relieve this list of the specific traffic.

One aspect of documentation that I find particularly lacking is an 
"appropriateness" section.  I expect it to be missing in commercial 
documentation (because no one wants to lose a sale).  I have been 
searching open source for the last few months.  I really have to dig 
into each project to understand whether it is appropriate.

Could you provide:
1) indications for use
2) contra-indications against use
3) known complementary technologies (those it depends upon, those that 
depend on it, those with a synergistic relationship)
4) known competative technologies (ones where I have to choose the one 
feature set or another)
5) a comparative feature list (including versions of competitors).

Ok, it sounds like I want a month of the marketing department.  A line 
or two would suffice.  Indeed, "unknown" would help - it would at least 
tell me that I'm on my own.


Phase Web and Multimedia wrote:

> Greetings,
> 
> I wanted to offer some code if anyone is interested. I have seen many
> discuss security on archives and wanted to offer an alternative to container
> managed security.
> 
> I spent some time weighing out whether to use container managed security or
> not and came to the conclusion that I would use a filter for security. There
> were several inflexibilities in the spec for container managed security. I
> wrote a security filter that functions very similar to container managed
> security. It has an xml config file that is used to protect urls. There are
> a few differences in the config and how you define protected areas and where
> you are directed.
> 
> Basically there are three areas of greater flexibility.
> 
> 1) you can define several security-constraint groups with different login
> pages.
> 2) you can login easily without having to hit a secure page first
> 3) you can set up an app specific security realm. (This can also be
> considered a limitation if you are maintaining cross context security, but
> you could easily tie into a larger security system if this is needed)
> 
> Anyways, it is not the "standard" but it functions well and gives greater
> freedom. I found container managed security to be a greater "hack" job when
> I wanted to accomplish my goals. If anybody is interested I can post it for
> review. It is certainly not mature and the code is fit for my current
> situation with an eye to greater flexibility. I think that it could provide
> a good starting point for a cross-container simple alternate solution to the
> current container managed security.
> 
> P.S. I have to improve the documentation :-)
> 
> Thanks for your time,
> Brandon Goodin
> Phase Web and Multimedia
> P (406) 862-2245
> F (406) 862-0354
> mail@phase.ws
> http://www.phase.ws
> 
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
> 
> 


-- 
Neil Pitman
npitman@interlink.net
+1.514.863.5465


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Security Solution

[Phase Web and Multimedia <ma...@phase.ws>]

My previous solution was an extension on the struts action mapping where I
identified roles that people needed to belong to and I set it up as a
property in action config. This worked fine. But, I had to remember to
include two pieces of code in each action class. The other problem was that
when I upgraded to 1.1 it broke my code. Extending action classes is nice.
But, it can cause a headache later when you have to change all of your code.
The other thing was protecting other resources on the system. my action
class did not protect my jsp files and image files. It only protected action
mappings. I found that action based security model was a bit inefficient.

I have not spent any time using EJB. But, I believe that JAAS could tie much
together outside of a web container. That sentence is spoken in a fair
amount of ignorance. I have spent short amount of time looking into JAAS.

The filter is merely an app level component that could be fit into a larger
security environment.

My solution fits a market that has users visiting their site who want to
shop, read bulletin boards, chat or whatever. If someone wants to go to the
shopping section and shops and then does a checkout. I don't want to forward
them to a generic login page and then send them back to where they wanted to
go in the first place. I want to provide contextual login pages.

Container managed security does not supply this easily.

The solution that I put together allow you to use the login in three
distinct ways.

1) you can define several Action mappings to the LoginRedirectAction that
define an "auth" forward to the page you want them to go once they are
logged in. The form would call a particular action mapping.
2) you can call the LoginAction class directly from any page. this returns
you to the page that was logged in from.
3) finally you can redirect to a login page of your choice upon the request
of a protected resource. The protected resource are mapped as
security-constraints. But, you can have several security-constraints and
each one can map to a different login page.

There is error page customization that is possible as well:
1) You can specify an error page in you action mapping as "error"
2) In the security consraint group you can define the error page for that
constraint
3) There is a generic error page for direct LoginAction calls

I know this all sounds a bit confusing. But, it would be nice if these
options were available in a mature fashion. I am just trying to expand into
a more flexible solution. I figured putting this on the board would do that.

Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
mail@phase.ws
http://www.phase.ws



-----Original Message-----
From: Marcelo Vanzin [mailto:vanza@rededc.com.br]
Sent: Monday, April 01, 2002 12:04 PM
To: Struts Users Mailing List
Subject: Re: Security Solution


Phase Web and Multimedia wrote:
> I wanted to offer some code if anyone is interested. I have seen many
> discuss security on archives and wanted to offer an alternative to
container
> managed security.

	Nice you came up with this problem again, since I remember reading
something about it in the archives, but did not participate in the
threads. :-)

	We have a situation a little more complicated here: we need our users to
be propagated to a remote server where we access some session EJBs. From
what I understood from the specs, for this we *need* to use container
managed security, so that the user Principal is propagated to the
sessionContext when we create the remote objects.

	(BTW, I haven't tested this, so I do not know if it really works. We are
using Tomcat talking remotely to a Weblogic server. Has someone worked
with this?)

	So, I guess that anything outside container managed security is out of
the question for us. What I did is a little ugly, but is working fine:

	- Since not all actions are going to be protected, I extended the
ActionMapping class to have two more attributes: one that says if the
mapping needs the user to be logged in, and another identifying which
permission the user needs (this one is optional and based on the way
Weblogic implemented security, which is a little more complex than the
basic user/role thing defined by the servlet spec; anyway, it's not
relevant here).

	- I have a base Action class where I check if the user is logged in, in
case the current mapping needs a login. This is done in the perform
method, before anything else is executed.

	- If the user is not logged in, I send a redirect to a "login" forward.
The path to this login forward has protected access (declared in the
web.xml file).

	- Once the user logs in, the action executed by the "login" forward
redirects the user to the page he wanted to go in the first place. This
path is stored in the user's session (and is removed after the login is
completed).

	It's been working rather nicely with the simple cases I tested. I'm
working on creating a custom reaml for Tomcat where I'll be able to
access our remote user database.

	The problem is that I'm extending the framework a bit (the "needLogin"
part of the ActionMapping). I've seen people suggesting that something
similar was incorporated into the framework, and I think that'd be a
nice addition.

--
[]'s
Marcelo Vanzin
Touch Tecnologia
vanza@rededc.com.br
"Life is too short to drink cheap beer"


--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Security Solution

[Marcelo Vanzin <va...@rededc.com.br>]

Phase Web and Multimedia wrote:
> I wanted to offer some code if anyone is interested. I have seen many
> discuss security on archives and wanted to offer an alternative to container
> managed security.

	Nice you came up with this problem again, since I remember reading 
something about it in the archives, but did not participate in the 
threads. :-)

	We have a situation a little more complicated here: we need our users to 
be propagated to a remote server where we access some session EJBs. From 
what I understood from the specs, for this we *need* to use container 
managed security, so that the user Principal is propagated to the 
sessionContext when we create the remote objects.

	(BTW, I haven't tested this, so I do not know if it really works. We are 
using Tomcat talking remotely to a Weblogic server. Has someone worked 
with this?)

	So, I guess that anything outside container managed security is out of 
the question for us. What I did is a little ugly, but is working fine:

	- Since not all actions are going to be protected, I extended the 
ActionMapping class to have two more attributes: one that says if the 
mapping needs the user to be logged in, and another identifying which 
permission the user needs (this one is optional and based on the way 
Weblogic implemented security, which is a little more complex than the 
basic user/role thing defined by the servlet spec; anyway, it's not 
relevant here).

	- I have a base Action class where I check if the user is logged in, in 
case the current mapping needs a login. This is done in the perform 
method, before anything else is executed.

	- If the user is not logged in, I send a redirect to a "login" forward. 
The path to this login forward has protected access (declared in the 
web.xml file).

	- Once the user logs in, the action executed by the "login" forward 
redirects the user to the page he wanted to go in the first place. This 
path is stored in the user's session (and is removed after the login is 
completed).

	It's been working rather nicely with the simple cases I tested. I'm 
working on creating a custom reaml for Tomcat where I'll be able to 
access our remote user database.

	The problem is that I'm extending the framework a bit (the "needLogin" 
part of the ActionMapping). I've seen people suggesting that something 
similar was incorporated into the framework, and I think that'd be a 
nice addition.

-- 
[]'s
Marcelo Vanzin
Touch Tecnologia
vanza@rededc.com.br
"Life is too short to drink cheap beer"


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Security Solution

[Phase Web and Multimedia <ma...@phase.ws>]

Greetings,

I wanted to offer some code if anyone is interested. I have seen many
discuss security on archives and wanted to offer an alternative to container
managed security.

I spent some time weighing out whether to use container managed security or
not and came to the conclusion that I would use a filter for security. There
were several inflexibilities in the spec for container managed security. I
wrote a security filter that functions very similar to container managed
security. It has an xml config file that is used to protect urls. There are
a few differences in the config and how you define protected areas and where
you are directed.

Basically there are three areas of greater flexibility.

1) you can define several security-constraint groups with different login
pages.
2) you can login easily without having to hit a secure page first
3) you can set up an app specific security realm. (This can also be
considered a limitation if you are maintaining cross context security, but
you could easily tie into a larger security system if this is needed)

Anyways, it is not the "standard" but it functions well and gives greater
freedom. I found container managed security to be a greater "hack" job when
I wanted to accomplish my goals. If anybody is interested I can post it for
review. It is certainly not mature and the code is fit for my current
situation with an eye to greater flexibility. I think that it could provide
a good starting point for a cross-container simple alternate solution to the
current container managed security.

P.S. I have to improve the documentation :-)

Thanks for your time,
Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
mail@phase.ws
http://www.phase.ws


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Security Solution

[Phase Web and Multimedia <ma...@phase.ws>]

Greetings,

I wanted to offer some code if anyone is interested. I have seen many
discuss security on archives and wanted to offer an alternative to container
managed security.

I spent some time weighing out whether to use container managed security or
not and came to the conclusion that I would use a filter for security. There
were several inflexibilities in the spec for container managed security. I
wrote a security filter that functions very similar to container managed
security. It has an xml config file that is used to protect urls. There are
a few differences in the config and how you define protected areas and where
you are directed.

Basically there are three areas of greater flexibility.

1) you can define several security-constraint groups with different login
pages.
2) you can login easily without having to hit a secure page first
3) you can set up an app specific security realm. (This can also be
considered a limitation if you are maintaining cross context security, but
you could easily tie into a larger security system if this is needed)

Anyways, it is not the "standard" but it functions well and gives greater
freedom. I found container managed security to be a greater "hack" job when
I wanted to accomplish my goals. If anybody is interested I can post it for
review. It is certainly not mature and the code is fit for my current
situation with an eye to greater flexibility. I think that it could provide
a good starting point for a cross-container simple alternate solution to the
current container managed security.

P.S. I have to improve the documentation :-)

Thanks for your time,
Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
mail@phase.ws
http://www.phase.ws


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Jakarta Regexp Package Issue

["Craig R. McClanahan" <cr...@apache.org>]

On Mon, 1 Apr 2002, David Winterfeldt wrote:

> Date: Mon, 1 Apr 2002 08:23:42 -0800 (PST)
> From: David Winterfeldt <dw...@yahoo.com>
> Reply-To: Struts Developers List <st...@jakarta.apache.org>
> To: Struts Developers List <st...@jakarta.apache.org>
> Subject: Re: Jakarta Regexp Package Issue
>
> I'm planning on switching this over tonight.  I'm
> ready to check in the changes to Commons Validator.
> The unit test I made shows that changing this fixes
> one of the e-mail bugs.  I'll also switch Struts to
> use ORO too.

+1

>
> David
>

Craig


> --- Martin Cooper <ma...@tumbleweed.com>
> wrote:
> > I have no problem with switching to ORO. Then again,
> > I must confess to
> > having no great knowledge of either package
> > (although I do use Regexp on one
> > of my projects). It's interesting that Regexp should
> > be considered lighter -
> > it's a significantly larger download than ORO!
> >
> > I don't think we should allow the user to choose. It
> > would be confusing to
> > the user, and also to us when trying to track down
> > problems and subtle
> > differences in behaviour.
> >
> > --
> > Martin Cooper
> >
> >
> > ----- Original Message -----
> > From: "David Winterfeldt" <dw...@yahoo.com>
> > To: "Struts Developers List"
> > <st...@jakarta.apache.org>
> > Sent: Friday, March 22, 2002 7:56 AM
> > Subject: Jakarta Regexp Package Issue
> >
> >
> > > I'm reposting this.  It might be easily missed
> > since I
> > > forwarded the bug for this that I filed.
> > >
> > > Email Validation doesn't allow '-' in address.
> > This
> > > is an error in the Jakarta Regexp package.  It
> > also
> > > has trouble with large max values.
> > >    ex: ^\d{2,1000}$
> > >
> > > Does anyone think we should just switch to ORO?
> > I'm
> > > leaning that way, but I used Jakarta Regexp
> > because it
> > > was considered 'lighter'.  If it isn't completely
> > > reliable, that doesn't really matter.  Or we could
> > > include both as an option, but I don't want to
> > confuse
> > > anyone.
> > >
> > > David
> > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Yahoo! Movies - coverage of the 74th Academy
> > Awards®
> > > http://movies.yahoo.com/
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Greetings - send holiday greetings for Easter, Passover
> http://greetings.yahoo.com/
>
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>