You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by "Micah J. Schehl" <mi...@hotmail.com> on 2002/04/09 20:30:03 UTC
Declaritive Security Functionality
I have implemented struts in some projects and have found a need for doing declarative security. Much like your role-based security, I would like to define the security in the struts config xml file, but I am looking at taking a step further. I would appreciate any advice or pointers. This will be my first time getting deep into the Struts source code.
The problem I am trying to get a good solution for is redundant code checking conditions at the beginning of each action. If the user doesn't pass all the conditions then they are rejected from the page. The rejection would be configurable to either show as a "page not found" or would forward/redirect them to a specified page.
Here is what I was thinking that the struts config file might look like.
<security-checker name="roleCheck" class="com.schehl.security.IsUserInRole" />
<action path="/showMain" type="com.schehl.main.webapp.MainAction">
<security name="roleCheck">
<param>
<param-name>allow-roles</param-name>
<param-value>admin</parm-value>
</param>
<param>
<param-name>allow-users</param-name>
<param-value>admin</parm-value>
</param>
<failure path="/pages/no-access.jsp"/>
<!-- failure response="no page" / -->
</security>
<forward name="success" path="/pages/main.jsp" />
</action>
The class com.schehl.security.IsUserInRole would extend a class, com.strutssecurity.SecurityChecker, which would be responsible for setting the configuration parameters and would have a method boolean check(HttpRequest request) which would default to pass back true, but would be overridden to perform the checks.
I thank you so much for any and all help, advice, or redirection you can give me.
Thanks,
Micah J. Schehl
RE: Declaritive Security Functionality
Posted by Phase Web and Multimedia <ma...@phase.ws>.
I will be making it available on sourceforge this week. I am trying to
document it better and clean up some rough edges. I can send it to you how
it is but it is only tested on Tomcat 4. good ol alpha quality stuff.
Let me know,
Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
mail@phase.ws
http://www.phase.ws
-----Original Message-----
From: Micah J. Schehl [mailto:micah_schehl@hotmail.com]
Sent: Tuesday, April 09, 2002 2:06 PM
To: Struts Developers List
Subject: Re: Declaritive Security Functionality
Brandon,
Your project sounds like it could be useful. I am using iPlanet
webserver, which is Servlet 2.2 compliant but does implement the Filters for
Servlet 2.3. (see below) I read through the mail archives, and hopefully I
read everything to date.
I had once looked at programmatically telling the webserver container to log
the user in. I couldn't find any way of doing that through a servlet spec
compliant interface. So I decided to implement programmatic security, where
in each action if the user isn't logged in, then they are redirected to a
secured link in the container. The container would then pop up the
j_security_check form and the user could log in.
I can see using filters as being a great improvement, and I looked into
using them before, but I wasn't sure how to implement it elegantly with
multiple web-apps and with making it work with an application server. I
couldn't figure out how to keep the security configurations seperate for
each web-app.
Oh, and is your source available yet? I looked for it on sourceforge and
didn't find it.
Thanks,
Micah J. Schehl
__References__
>From iPlanet Web Server: Programmer's Guide to Servlets:
http://docs.iplanet.com/docs/manuals/enterprise/50/servlets/war.htm
"Although iPlanet Web Server 6.0 supports only the Servlet 2.2 API in
the web.xml file, the
Filter API from the Servlet 2.3 specification is available in the
web-apps.xml file.
The filter and filter-mapping elements implement the Filter API. They
are both subelements of
a web-app element in the web-apps.xml file. Except for their file
location, filter and
filter-mapping are as described in the Servlet 2.3 specification."
----- Original Message -----
From: "Phase Web and Multimedia" <ma...@phase.ws>
To: "Struts Developers List" <st...@jakarta.apache.org>
Sent: Tuesday, April 09, 2002 2:47 PM
Subject: RE: Declaritive Security Functionality
> This look like it could use a Filter if you are on a 2.3 servlet spec
> Containter. Do a search of "Security Solution" and the mail-archive. I am
> developing a security solution that sits in between struts and container
> managed security and allows for unique error page and login page
> configuration. I have a sourceforge project that I am setting up with
this.
> Previously I was looking to replace the container managed security. But,
now
> I have found a hook that will allow me to tie into it.
>
> Let me know if you find it useful.
> Brandon Goodin
> Phase Web and Multimedia
> P (406) 862-2245
> F (406) 862-0354
> mail@phase.ws
> http://www.phase.ws
>
>
> -----Original Message-----
> From: Micah J. Schehl [mailto:micah_schehl@hotmail.com]
> Sent: Tuesday, April 09, 2002 12:30 PM
> To: struts-dev@jakarta.apache.org
> Subject: Declaritive Security Functionality
>
>
>
> I have implemented struts in some projects and have found a need for doing
> declarative security. Much like your role-based security, I would like to
> define the security in the struts config xml file, but I am looking at
> taking a step further. I would appreciate any advice or pointers. This
> will be my first time getting deep into the Struts source code.
>
> The problem I am trying to get a good solution for is redundant code
> checking conditions at the beginning of each action. If the user doesn't
> pass all the conditions then they are rejected from the page. The
rejection
> would be configurable to either show as a "page not found" or would
> forward/redirect them to a specified page.
>
> Here is what I was thinking that the struts config file might look like.
>
> <security-checker name="roleCheck"
> class="com.schehl.security.IsUserInRole" />
>
> <action path="/showMain" type="com.schehl.main.webapp.MainAction">
> <security name="roleCheck">
> <param>
> <param-name>allow-roles</param-name>
> <param-value>admin</parm-value>
> </param>
> <param>
> <param-name>allow-users</param-name>
> <param-value>admin</parm-value>
> </param>
> <failure path="/pages/no-access.jsp"/>
> <!-- failure response="no page" / -->
> </security>
>
> <forward name="success" path="/pages/main.jsp" />
> </action>
>
>
> The class com.schehl.security.IsUserInRole would extend a class,
> com.strutssecurity.SecurityChecker, which would be responsible for setting
> the configuration parameters and would have a method boolean
> check(HttpRequest request) which would default to pass back true, but
would
> be overridden to perform the checks.
>
> I thank you so much for any and all help, advice, or redirection you can
> give me.
>
> Thanks,
> Micah J. Schehl
>
>
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Declaritive Security Functionality
Posted by "Micah J. Schehl" <mi...@hotmail.com>.
Brandon,
Your project sounds like it could be useful. I am using iPlanet
webserver, which is Servlet 2.2 compliant but does implement the Filters for
Servlet 2.3. (see below) I read through the mail archives, and hopefully I
read everything to date.
I had once looked at programmatically telling the webserver container to log
the user in. I couldn't find any way of doing that through a servlet spec
compliant interface. So I decided to implement programmatic security, where
in each action if the user isn't logged in, then they are redirected to a
secured link in the container. The container would then pop up the
j_security_check form and the user could log in.
I can see using filters as being a great improvement, and I looked into
using them before, but I wasn't sure how to implement it elegantly with
multiple web-apps and with making it work with an application server. I
couldn't figure out how to keep the security configurations seperate for
each web-app.
Oh, and is your source available yet? I looked for it on sourceforge and
didn't find it.
Thanks,
Micah J. Schehl
__References__
>From iPlanet Web Server: Programmer's Guide to Servlets:
http://docs.iplanet.com/docs/manuals/enterprise/50/servlets/war.htm
"Although iPlanet Web Server 6.0 supports only the Servlet 2.2 API in
the web.xml file, the
Filter API from the Servlet 2.3 specification is available in the
web-apps.xml file.
The filter and filter-mapping elements implement the Filter API. They
are both subelements of
a web-app element in the web-apps.xml file. Except for their file
location, filter and
filter-mapping are as described in the Servlet 2.3 specification."
----- Original Message -----
From: "Phase Web and Multimedia" <ma...@phase.ws>
To: "Struts Developers List" <st...@jakarta.apache.org>
Sent: Tuesday, April 09, 2002 2:47 PM
Subject: RE: Declaritive Security Functionality
> This look like it could use a Filter if you are on a 2.3 servlet spec
> Containter. Do a search of "Security Solution" and the mail-archive. I am
> developing a security solution that sits in between struts and container
> managed security and allows for unique error page and login page
> configuration. I have a sourceforge project that I am setting up with
this.
> Previously I was looking to replace the container managed security. But,
now
> I have found a hook that will allow me to tie into it.
>
> Let me know if you find it useful.
> Brandon Goodin
> Phase Web and Multimedia
> P (406) 862-2245
> F (406) 862-0354
> mail@phase.ws
> http://www.phase.ws
>
>
> -----Original Message-----
> From: Micah J. Schehl [mailto:micah_schehl@hotmail.com]
> Sent: Tuesday, April 09, 2002 12:30 PM
> To: struts-dev@jakarta.apache.org
> Subject: Declaritive Security Functionality
>
>
>
> I have implemented struts in some projects and have found a need for doing
> declarative security. Much like your role-based security, I would like to
> define the security in the struts config xml file, but I am looking at
> taking a step further. I would appreciate any advice or pointers. This
> will be my first time getting deep into the Struts source code.
>
> The problem I am trying to get a good solution for is redundant code
> checking conditions at the beginning of each action. If the user doesn't
> pass all the conditions then they are rejected from the page. The
rejection
> would be configurable to either show as a "page not found" or would
> forward/redirect them to a specified page.
>
> Here is what I was thinking that the struts config file might look like.
>
> <security-checker name="roleCheck"
> class="com.schehl.security.IsUserInRole" />
>
> <action path="/showMain" type="com.schehl.main.webapp.MainAction">
> <security name="roleCheck">
> <param>
> <param-name>allow-roles</param-name>
> <param-value>admin</parm-value>
> </param>
> <param>
> <param-name>allow-users</param-name>
> <param-value>admin</parm-value>
> </param>
> <failure path="/pages/no-access.jsp"/>
> <!-- failure response="no page" / -->
> </security>
>
> <forward name="success" path="/pages/main.jsp" />
> </action>
>
>
> The class com.schehl.security.IsUserInRole would extend a class,
> com.strutssecurity.SecurityChecker, which would be responsible for setting
> the configuration parameters and would have a method boolean
> check(HttpRequest request) which would default to pass back true, but
would
> be overridden to perform the checks.
>
> I thank you so much for any and all help, advice, or redirection you can
> give me.
>
> Thanks,
> Micah J. Schehl
>
>
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Declaritive Security Functionality
Posted by Phase Web and Multimedia <ma...@phase.ws>.
This look like it could use a Filter if you are on a 2.3 servlet spec
Containter. Do a search of "Security Solution" and the mail-archive. I am
developing a security solution that sits in between struts and container
managed security and allows for unique error page and login page
configuration. I have a sourceforge project that I am setting up with this.
Previously I was looking to replace the container managed security. But, now
I have found a hook that will allow me to tie into it.
Let me know if you find it useful.
Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
mail@phase.ws
http://www.phase.ws
-----Original Message-----
From: Micah J. Schehl [mailto:micah_schehl@hotmail.com]
Sent: Tuesday, April 09, 2002 12:30 PM
To: struts-dev@jakarta.apache.org
Subject: Declaritive Security Functionality
I have implemented struts in some projects and have found a need for doing
declarative security. Much like your role-based security, I would like to
define the security in the struts config xml file, but I am looking at
taking a step further. I would appreciate any advice or pointers. This
will be my first time getting deep into the Struts source code.
The problem I am trying to get a good solution for is redundant code
checking conditions at the beginning of each action. If the user doesn't
pass all the conditions then they are rejected from the page. The rejection
would be configurable to either show as a "page not found" or would
forward/redirect them to a specified page.
Here is what I was thinking that the struts config file might look like.
<security-checker name="roleCheck"
class="com.schehl.security.IsUserInRole" />
<action path="/showMain" type="com.schehl.main.webapp.MainAction">
<security name="roleCheck">
<param>
<param-name>allow-roles</param-name>
<param-value>admin</parm-value>
</param>
<param>
<param-name>allow-users</param-name>
<param-value>admin</parm-value>
</param>
<failure path="/pages/no-access.jsp"/>
<!-- failure response="no page" / -->
</security>
<forward name="success" path="/pages/main.jsp" />
</action>
The class com.schehl.security.IsUserInRole would extend a class,
com.strutssecurity.SecurityChecker, which would be responsible for setting
the configuration parameters and would have a method boolean
check(HttpRequest request) which would default to pass back true, but would
be overridden to perform the checks.
I thank you so much for any and all help, advice, or redirection you can
give me.
Thanks,
Micah J. Schehl
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>