You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Joanne L Corless <jc...@csc.com> on 2004/02/12 13:36:52 UTC
Securing Struts - Which is my best option
Hi,
I know this topic has been discussed before but I've looked at all the
previous posts and can't find anything to answer my problem
I have a struts app that is designed to use a database user with very
limited rights pre-login and then post login it is designed to use the
users own view.
I want to secure the app so that any erroneous requests are directed
straight to the login page - I've looked at the Sourceforge SecurityFilter
and it fits about 75% of my requirements. The main problem is that both pre
and post login there are lots of environment variables to set up for
presentation etc.
Currently (in the unsecured app) the flow works as such
index.jsp -forwards->
/initialise.do -loads default settings->
.login_layout_tiles -on submit -> /loginaction.do
(if successful login) -loads user specific settings-> .user_layout_tile
This works fine but is obviously not secure - How basically do I combine
struts and the security filter so that I can get the best of both worlds
I'm happy with the SecurityFilter implementation - I've got a basic version
working with my backend db its adding in struts thats causing the head ache
at the moment
Regards
Joanne Corless
CSC Computer Sciences Limited
( Office +44 (0)1772 318025
( Mobile +44 (0)7767 656588
* email jcorless@csc.com
Based at: CSC, Alliance House, Library Road, Chorley, Lancs, PR6 7EN
CSC Computer Sciences Limited: Registered in England, No. 963578.
Registered office: Royal Pavilion, Wellesley Road, Aldershot, Hampshire,
GU11 1PZ.
----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
----------------------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Securing Struts - Which is my best option
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Joanne,
struts can be used to implement security easily using the 'roles='
attribute on the action mappings in your struts-config. This allows you
to specify which roles can access an action or not. This depends on use
of container-managed security, but I think that the SecurityFilter
plugin is able to emulate that. I don't have any experience with
SecurityFilter.
You can also use ssl-ext (or sslext?) to map your action urls to http or
https.
Container-managed security takes away alot of the development work too
of course. Specifying in the web.xml which URLs should be protected is
about all you need to do, along with setting up the login realm.
HTH
Adam
On 02/12/2004 01:36 PM Joanne L Corless wrote:
> Hi,
>
> I know this topic has been discussed before but I've looked at all the
> previous posts and can't find anything to answer my problem
>
> I have a struts app that is designed to use a database user with very
> limited rights pre-login and then post login it is designed to use the
> users own view.
>
> I want to secure the app so that any erroneous requests are directed
> straight to the login page - I've looked at the Sourceforge SecurityFilter
> and it fits about 75% of my requirements. The main problem is that both pre
> and post login there are lots of environment variables to set up for
> presentation etc.
>
> Currently (in the unsecured app) the flow works as such
>
> index.jsp -forwards->
> /initialise.do -loads default settings->
> .login_layout_tiles -on submit -> /loginaction.do
> (if successful login) -loads user specific settings-> .user_layout_tile
>
> This works fine but is obviously not secure - How basically do I combine
> struts and the security filter so that I can get the best of both worlds
>
> I'm happy with the SecurityFilter implementation - I've got a basic version
> working with my backend db its adding in struts thats causing the head ache
> at the moment
>
> Regards
> Joanne Corless
>
> CSC Computer Sciences Limited
> ( Office +44 (0)1772 318025
> ( Mobile +44 (0)7767 656588
> * email jcorless@csc.com
>
>
> Based at: CSC, Alliance House, Library Road, Chorley, Lancs, PR6 7EN
> CSC Computer Sciences Limited: Registered in England, No. 963578.
> Registered office: Royal Pavilion, Wellesley Road, Aldershot, Hampshire,
> GU11 1PZ.
>
>
> ----------------------------------------------------------------------------------------
>
> This is a PRIVATE message. If you are not the intended recipient, please
> delete without copying and kindly advise us by e-mail of the mistake in
> delivery. NOTE: Regardless of content, this e-mail shall not operate to
> bind CSC to any order or other contract unless pursuant to explicit written
> agreement or government initiative expressly permitting the use of e-mail
> for such purpose.
> ----------------------------------------------------------------------------------------
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
--
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org