Roles, isUserInRole(), getUserPrincipal() and of course JAAS

[he...@teradyne.com]

I hate bringing up this subject, but I can't find a definite answer in the
past posts.

I want to use existing methods for checking if the current user "has a"
role.
This would include isUserInRole() of HttpServletRequest which again is used
by certain tags and actionConfig... I assume..?!?

But I still want to use my own JAAS based security infrastructure that
authenticates and authorizes not only actions, but sections of JSPs so that
an admin can see certain parts of a page a "lesser" human being can't.
Struts Menu 1.2 comes to mind.
Pluss I want (I want and want and want) to have the users' Principal(s)
readily available in the users http session for any other possible use I
might have.

The only way I can see that happending is if I extend
HttpServletRequestWrapper and do some "magic" in the applicable
methods(check for session, get Princial(s) from session, match.....).
Or am I just completely crazy? Would this have some unfortunate side
effects?

-Henrik Bentel


PS! and yes, I've read Dan Moore's article at www.mooreds.com/jaas.html
pluss a few other documents. None of which gave me the "complete" answer.



---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org

Re: Roles, isUserInRole(), getUserPrincipal() and of course JAAS

[Max Cooper <ma...@maxcooper.com>]

I believe the only way to effectively implement those methods in the request
is to create a Filter and use your own HttpServletRequestWrapper as you
suggested. This is how SecurityFilter works. Implementing those methods in
the request wrapper seems to work quite well -- I don't have any side
effects to note.

Having your app access the Principal via the getUserPrincipal() method
(rather than digging it out of the session itself) would also be a good idea
after the implementation is in place.

-Max

----- Original Message ----- 
From: <he...@teradyne.com>
To: <st...@jakarta.apache.org>
Sent: Friday, April 25, 2003 2:01 PM
Subject: Roles, isUserInRole(), getUserPrincipal() and of course JAAS


>
> I hate bringing up this subject, but I can't find a definite answer in the
> past posts.
>
> I want to use existing methods for checking if the current user "has a"
> role.
> This would include isUserInRole() of HttpServletRequest which again is
used
> by certain tags and actionConfig... I assume..?!?
>
> But I still want to use my own JAAS based security infrastructure that
> authenticates and authorizes not only actions, but sections of JSPs so
that
> an admin can see certain parts of a page a "lesser" human being can't.
> Struts Menu 1.2 comes to mind.
> Pluss I want (I want and want and want) to have the users' Principal(s)
> readily available in the users http session for any other possible use I
> might have.
>
> The only way I can see that happending is if I extend
> HttpServletRequestWrapper and do some "magic" in the applicable
> methods(check for session, get Princial(s) from session, match.....).
> Or am I just completely crazy? Would this have some unfortunate side
> effects?
>
> -Henrik Bentel
>
>
> PS! and yes, I've read Dan Moore's article at www.mooreds.com/jaas.html
> pluss a few other documents. None of which gave me the "complete" answer.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org