You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by nirmal_hbti <ni...@rediffmail.com> on 2006/11/27 07:50:15 UTC
Re: Best way to secure struts-webapps?
Hi,
What is the best way to secure struts-webapps without Container Managed
Security?
I have heard of the following possible options but I am confused as to
choose which one:
1. Using Filters.
2. Override one of the process methods in the ProcessRequest.
3. Make a base action where you check for your criteria in every action's
execute() method. Then have it invoke a custom "myExecute()" method which
is where you would put the code you normally put in execute().
I am confused as to choose which one because I want the security to be of
the Application-level and I dont wanna use any Container Managed Security.
Also in my application I have different roles and each role has a separate
set of priviliges like Admin, Customer, Account Manager. I want the
different menus or options to be available only if the login user is in that
role.
Nirmal Kumar
Li-3 wrote:
>
> I guess the best practise for secure struts webapp can never be answered
> by
> listing a few items of "what to do and how to do". It is a complicated
> topic
> and has many situation like for LAN, WAN ...
>
> Besides, will struts continue its development rather than enhancement? Or
> webwork will replace it sooner or later.
>
>
> On 8/29/06, Li <am...@gmail.com> wrote:
>>
>> put secure page under /web-inf
>>
>> you can create a tag for checking session validation and/or user object.
>>
>>
>>
>>
>> On 8/29/06, Leon Rosenberg < rosenberg.leon@googlemail.com> wrote:
>> >
>> > The options number 2 and 3 (filter and action) sound both very hale to
>> > me.
>> > If you just want to separate between logged in and not logged in users
>> > i would go for option 2.
>> > If you need fine-grained separation go for baseaction and make not
>> > only login check but also for action-dependant permissions.
>> >
>> > regards
>> > Leon
>> >
>> > On 8/29/06, Thomas Hamacher <th...@qualigo.de> wrote:
>> > > Hi everyone,
>> > >
>> > > I think I have a very basic question here, but after spending some
>> > time with
>> > > google I haven´t found a real solution to this question: What is the
>> > best way
>> > > to secure a struts webapplication to be sure, that only logged in
>> > users are
>> > > allowed to do some special action and access some special pages?
>> > >
>> > > I found 3 possibilities, from what some of them seem to be a solution
>> > from
>> > > older struts versions.
>> > >
>> > > - Extend the RequestProcessor and do a programmatic security-check
>> > > - Use a Filter to do the security check
>> > > - Extend all Actions from a customized BaseAction, that does the
>> > security
>> > > check.
>> > >
>> > > But all of this seems a bit strange to me. As security is a
>> > standard-problem
>> > > in every webapplication and there are a lot of people who thought
>> > about
>> > > solutions (JAAS) I can´t believe, that I have to extend the
>> > struts-framework
>> > > myself to provide some security issues.
>> > >
>> > > So what would you recommend if you want to do a real secure
>> > application with
>> > > struts, together with tiles and want to be sure, that no pages or
>> > actions are
>> > > used without permission? And all of this independent, if I use a
>> > Tomcat, a
>> > > Resin or maybe a JBoss as my struts-web-server.
>> > >
>> > > Do you have any informations, examples or URL´s who have a real
>> > solution to
>> > > this?
>> > >
>> > > THank you very much
>> > >
>> > > Thomas
>> > >
>> > > ---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> > > For additional commands, e-mail: user-help@struts.apache.org
>> > >
>> > >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> > For additional commands, e-mail: user-help@struts.apache.org
>> >
>> >
>>
>>
>> --
>> When we invent time, we invent death.
>>
>
>
>
> --
> When we invent time, we invent death.
>
>
--
View this message in context: http://www.nabble.com/Best-way-to-secure-struts-webapps--tf2182171.html#a7555589
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Best way to secure struts-webapps?
Posted by Chris Pratt <th...@gmail.com>.
You might look into the Security Filter project at SourceForge (
http://securityfilter.sourceforge.net/), we're using it and it seems to work
very nicely.
(*Chris*)
On 11/26/06, nirmal_hbti <ni...@rediffmail.com> wrote:
>
>
> Hi,
>
> What is the best way to secure struts-webapps without Container Managed
> Security?
> I have heard of the following possible options but I am confused as to
> choose which one:
>
> 1. Using Filters.
> 2. Override one of the process methods in the ProcessRequest.
> 3. Make a base action where you check for your criteria in every action's
> execute() method. Then have it invoke a custom "myExecute()" method which
> is where you would put the code you normally put in execute().
>
> I am confused as to choose which one because I want the security to be of
> the Application-level and I dont wanna use any Container Managed Security.
> Also in my application I have different roles and each role has a separate
> set of priviliges like Admin, Customer, Account Manager. I want the
> different menus or options to be available only if the login user is in
> that
> role.
>
> Nirmal Kumar
>
>
>
>
>
> Li-3 wrote:
> >
> > I guess the best practise for secure struts webapp can never be answered
> > by
> > listing a few items of "what to do and how to do". It is a complicated
> > topic
> > and has many situation like for LAN, WAN ...
> >
> > Besides, will struts continue its development rather than enhancement?
> Or
> > webwork will replace it sooner or later.
> >
> >
> > On 8/29/06, Li <am...@gmail.com> wrote:
> >>
> >> put secure page under /web-inf
> >>
> >> you can create a tag for checking session validation and/or user
> object.
> >>
> >>
> >>
> >>
> >> On 8/29/06, Leon Rosenberg < rosenberg.leon@googlemail.com> wrote:
> >> >
> >> > The options number 2 and 3 (filter and action) sound both very hale
> to
> >> > me.
> >> > If you just want to separate between logged in and not logged in
> users
> >> > i would go for option 2.
> >> > If you need fine-grained separation go for baseaction and make not
> >> > only login check but also for action-dependant permissions.
> >> >
> >> > regards
> >> > Leon
> >> >
> >> > On 8/29/06, Thomas Hamacher <th...@qualigo.de> wrote:
> >> > > Hi everyone,
> >> > >
> >> > > I think I have a very basic question here, but after spending some
> >> > time with
> >> > > google I haven´t found a real solution to this question: What is
> the
> >> > best way
> >> > > to secure a struts webapplication to be sure, that only logged in
> >> > users are
> >> > > allowed to do some special action and access some special pages?
> >> > >
> >> > > I found 3 possibilities, from what some of them seem to be a
> solution
> >> > from
> >> > > older struts versions.
> >> > >
> >> > > - Extend the RequestProcessor and do a programmatic security-check
> >> > > - Use a Filter to do the security check
> >> > > - Extend all Actions from a customized BaseAction, that does the
> >> > security
> >> > > check.
> >> > >
> >> > > But all of this seems a bit strange to me. As security is a
> >> > standard-problem
> >> > > in every webapplication and there are a lot of people who thought
> >> > about
> >> > > solutions (JAAS) I can´t believe, that I have to extend the
> >> > struts-framework
> >> > > myself to provide some security issues.
> >> > >
> >> > > So what would you recommend if you want to do a real secure
> >> > application with
> >> > > struts, together with tiles and want to be sure, that no pages or
> >> > actions are
> >> > > used without permission? And all of this independent, if I use a
> >> > Tomcat, a
> >> > > Resin or maybe a JBoss as my struts-web-server.
> >> > >
> >> > > Do you have any informations, examples or URL´s who have a real
> >> > solution to
> >> > > this?
> >> > >
> >> > > THank you very much
> >> > >
> >> > > Thomas
> >> > >
> >> > >
> ---------------------------------------------------------------------
> >> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> > > For additional commands, e-mail: user-help@struts.apache.org
> >> > >
> >> > >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> > For additional commands, e-mail: user-help@struts.apache.org
> >> >
> >> >
> >>
> >>
> >> --
> >> When we invent time, we invent death.
> >>
> >
> >
> >
> > --
> > When we invent time, we invent death.
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Best-way-to-secure-struts-webapps--tf2182171.html#a7555589
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>