You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Leandro Melo <lt...@yahoo.com.br> on 2004/08/19 02:14:18 UTC
Security - From tradition to struts
Please help me out here!
I'm very new with jaas, so i need some help.
I got a simple login that is working fine for me, here
it is:
...
<FORM action='<%=
response.encodeURL("j_security_check")%>'
method="get">
<!-- esses nomes tem q ser assim -> j_username
-->
NOME:<INPUT type="text" name="j_username" />
<!-- tem q ser j_password -->
SENHA: <INPUT type="password" name="j_password"
/>
<INPUT type="submit" value="Login" />
</FORM>
...
I'm using JBoss' default stuff (LoginModule,
CallbackHandler, etc...) to make it works. Here's a
piece of my configuration file (for jboss).
...
example2
{
org.jboss.security.auth.spi.DatabaseServerLoginModule
required
dsJndiName="java:/DefaultDS"
principalsQuery="Select Password from Principals where
PrincipalID =?"
rolesQuery="Select Role 'Roles', RoleGroup
'RoleGroups' from Roles where PrincipalID =?"
;
};
...
As i said, this works fine for me. I only made
configuration and login.jsp, after the user submits
data from login.jsp, JBoss takes care of the whole
thing and already directs the user to index.jsp (in
case of sucessful login).
NOW, i want to do the exact same thing with Struts (my
enviroment is all setup, the only thing i didn't have
was the login module, i already have everything set
and working with Tiles).
The problem is that i don't know what to do, because
i'll probably have to write a Servlet that handles
this request won't i???
Here's in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
<description>Declarative security
tests</description>
<url-pattern>/jaas_tests/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Echo</role-name>
<!--<role-name>Java</role-name>-->
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jaas_tests/login.jsp</form-login-page>
<form-error-page>/jaas_tests/error.jsp</form-error-page>
</form-login-config>
</login-config>
I can start by changing the login page from login.jsp
to login.do, mapping this Action, then what... ???
Thanks,
Leandro
_______________________________________________________
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
http://br.acesso.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Security - From tradition to struts
Posted by struts lover <st...@yahoo.com>.
Create a utility class method that takes username and
password as parameters. Connect to database from this
utility class method, and return a boolean based on
the search for username and password. Have this
utility method called from your action class.
--- struts Dude <sc...@slingshot.co.nz> wrote:
> Hi
> The following is the strategy I use. It may help. It
> may
> also be bad practice so feedback welcome.
>
> I am writing a simple app right now that only checks
> whether user
> is logged in as ordinary user or admin. I use an
> utility class
> UserUtil.java that has static methods for other
> Action to call.
>
> import javax.servlet.http.HttpSession;
> public class UserUtil {
>
> // A returned 'null' User means user not logged in
> public static User getUser( HttpSession session ) {
> User user = null;
> Object obj = session.getAttribute(
> Constants.USER_KEY );
> if ( obj != null )
> user = (User)obj;
> return user;
> }
>
> // A returned 'null' User means user not an admin
> public static User getAdmin( HttpSession session )
> {
> User admin = null;
> Object obj = session.getAttribute( Constants.ADMIN
> );
> if ( obj != null )
> admin = (User)obj;
> return admin;
> }
>
> }
>
> Regards
>
> ----- Original Message -----
> From: "Leandro Melo" <lt...@yahoo.com.br>
> To: "Struts Users Mailing List"
> <us...@struts.apache.org>
> Sent: Friday, August 20, 2004 1:20 AM
> Subject: Re: Security - From tradition to struts
>
>
> > Thank you very much for your time Erik, i'll try
> to
> > get some study around it!!!
> >
> > I don't know if it's possible (probably not, i
> > know...) , but if you could send me your
> LogonAction
> > class (and associated stuff) would awsome! But i
> you
> > can't, that's allrigth, i completely understand!
> >
> > Regards,
> > Leandro.
> >
> >
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> user-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> user-help@struts.apache.org
>
>
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Security - From tradition to struts
Posted by struts Dude <sc...@slingshot.co.nz>.
Hi
The following is the strategy I use. It may help. It may
also be bad practice so feedback welcome.
I am writing a simple app right now that only checks whether user
is logged in as ordinary user or admin. I use an utility class
UserUtil.java that has static methods for other Action to call.
import javax.servlet.http.HttpSession;
public class UserUtil {
// A returned 'null' User means user not logged in
public static User getUser( HttpSession session ) {
User user = null;
Object obj = session.getAttribute( Constants.USER_KEY );
if ( obj != null )
user = (User)obj;
return user;
}
// A returned 'null' User means user not an admin
public static User getAdmin( HttpSession session ) {
User admin = null;
Object obj = session.getAttribute( Constants.ADMIN );
if ( obj != null )
admin = (User)obj;
return admin;
}
}
Regards
----- Original Message -----
From: "Leandro Melo" <lt...@yahoo.com.br>
To: "Struts Users Mailing List" <us...@struts.apache.org>
Sent: Friday, August 20, 2004 1:20 AM
Subject: Re: Security - From tradition to struts
> Thank you very much for your time Erik, i'll try to
> get some study around it!!!
>
> I don't know if it's possible (probably not, i
> know...) , but if you could send me your LogonAction
> class (and associated stuff) would awsome! But i you
> can't, that's allrigth, i completely understand!
>
> Regards,
> Leandro.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Security - From tradition to struts
Posted by Leandro Melo <lt...@yahoo.com.br>.
Thank you very much for your time Erik, i'll try to
get some study around it!!!
I don't know if it's possible (probably not, i
know...) , but if you could send me your LogonAction
class (and associated stuff) would awsome! But i you
can't, that's allrigth, i completely understand!
Regards,
Leandro.
--- Erik Weber <er...@mindspring.com> escreveu:
> Sorry, by "hand-rolled" I just mean one that is
> written specifically for
> the application (written by you).
>
> The general idea is something like this:
>
> Make a BaseAction class.
>
> Implement a checkLogin method in the BaseAction
> class that looks in the
> current request's HttpSession for a "User" object,
> which you would have
> placed into the session in your LoginAction.
> Implement a checkPermission method in the BaseAction
> class that looks in
> the current HttpSession for a role associated with
> the user (maybe this
> is part of the "User" object) that matches the role
> required for the
> current request (or you can go as fine-grained as
> you want, with many
> different permissions to check for a single request)
> to be granted.
>
> All your Action classes extend the BaseAction class.
> They can invoke the
> checkLogin and/or the checkPermission methods at the
> beginning of the
> execute method to decide whether/how to proceed.
>
> Write a LoginAction class that sets the "User"
> action, along with
> permissions, roles, etc., whatever else is needed in
> your checkLogin and
> checkPermission methods, in the session after login
> has succeeded (you
> have taken the entered username and password and
> matched them
> successfully against a username and password
> combination in your
> database -- typically in a USERS table).
>
> Write a Logout Action that invalidates the current
> session.
>
> Alternatively, you could check the login and the
> permissions the same
> way, but in a sublass of the Struts
> RequestProcessor, or in a Servlet
> Filter, instead of in a BaseAction class.
>
> If you want to go with container-managed security
> and you can use
> Tomcat, try this (you should probably read it
> anyway).
>
>
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html
>
> I also suggest you read the security section of the
> J2EE tutorial, and
> the security sections of the JSP and Servlet
> specifications.
>
> If you go with container-managed security, it's real
> easy to allow/deny
> entire JSPs, but you still may need to implement
> finer-grained
> permissions checks on your own if you need to, for
> example, show/hide
> links on a page based on permissions.
>
> Erik
>
> Leandro Melo wrote:
>
> >Erik,
> >i don't quite understand what you call a
> hand-rolled
> >java component (maybe because of my english).
> >Anyway, it seems to me that you're not using JAAS
> to
> >completely control application's security, are u?
> >I don't know if it possible, but if so, would you
> post
> >your setup and basic classes?
> >I'm very very new at security stuff...
> >Anyway, i cleared out a lot of things for me.
> >
> >Thanks,
> >Leandro.
> >
> >
> > --- Erik Weber <er...@mindspring.com>
> escreveu:
> >
> >
> >>I don't really consider myself an expert here, but
> I
> >>dare say that there
> >>are a lot of webapps deployed out there using
> >>programmatic (hand-rolled)
> >>security successfully. I have used the approach
> with
> >>success. What
> >>exactly the advantages are to using
> >>container-managed security I am not
> >>able to fully deduce (except for the obvious --
> it's
> >>nice to declare
> >>stuff in web.xml in a standardized way -- and that
> >>perhaps it might make
> >>Servlets a *little* more portable if you wanted to
> >>use them among
> >>different apps). But then again, I haven't had to
> >>take on a project yet
> >>where the environment was extremely complicated,
> >>when it came to how
> >>users and permissions were managed (typically I
> see
> >>the same tried and
> >>trusted setup -- USER, GROUP, ROLES and
> PERMISSIONS
> >>tables in some
> >>central database, and some hand-rolled Java
> >>component, used to authorize
> >>the current request, that is invoked in some
> >>"common" area, such as a
> >>Servlet Filter -- or, in Struts, a base Action
> class
> >>or a custom
> >>RequestProcessor). It seems like JAAS is still at
> an
> >>immature stage
> >>perhaps, or at least the state of documenation
> about
> >>it is.
> >>
> >>The other route it seems you could go is to use a
> >>container-managed
> >>login as you suggest, and enjoy using the methods
> >>such as
> >>request.isUserInRole instead of invoking security
> >>methods on a
> >>hand-rolled component, but I think you will have
> to
> >>give up the
> >>JBoss/Tomcat stack to do this for now (someone
> >>please correct me if I am
> >>wrong), because I think there is a security
> >>integration problem there,
> >>as I described earlier. I'm guessing Tomcat as
> stand
> >>alone might be a
> >>good way to go though. I have not done this and
> >>couldn't say whether it
> >>is "common and usual".
> >>
> >>I have tried to write my role-checking methods so
> >>that in the future if
> >>I port an application to JAAS I can just refactor
> >>them to invoke the
> >>standard methods instead of my own. But like I
> say,
> >>I'm far from an
> >>expert in this area.
> >>
> >>Hope that helps,
> >>
> >>Erik
> >>
> >>Leandro Melo wrote:
> >>
> >>
> >>
> >>>So Erik, is it a common and usual aproach to do
> >>>
> >>>
> >>login
> >>
> >>
> >>>outside of Struts (ordinary jsps), and then use
> >>>
> >>>
> >>Struts
> >>
> >>
> >>>afterwards???
> >>>
> >>>
> >>>--- Erik Weber <er...@mindspring.com>
> >>>
> >>>
> >>escreveu:
> >>
> >>
> >>>
> >>>
> >>>
> >>>
> >>>>Leandro, search the archives of this List for
> >>>>"JAAS". I participated in
>
=== message truncated ===
_______________________________________________________
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
http://br.acesso.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Security - From tradition to struts
Posted by Erik Weber <er...@mindspring.com>.
Thank you Susan. I have some plans to take a stab at some documentation.
Unfortunately right now I have relentless clients, approaching deadlines
and bills to pay! (yeah yeah, who doesn't?)
And as far as security goes, I'm not qualified at this point, in my
opinion. But, I'll get there.
Erik
Susan Bradeen wrote:
>Excellent explanation, Erik. Consider adding this to the Struts Wiki for
>posterity? Must be a place for it in there somewhere ...
>
>Erik Weber <er...@mindspring.com> wrote on 08/19/2004 08:31:08 AM:
>
>
>
>>Sorry, by "hand-rolled" I just mean one that is written specifically for
>>
>>
>
>
>
>>the application (written by you).
>>
>>The general idea is something like this:
>>
>>Make a BaseAction class.
>>
>>Implement a checkLogin method in the BaseAction class that looks in the
>>current request's HttpSession for a "User" object, which you would have
>>placed into the session in your LoginAction.
>>Implement a checkPermission method in the BaseAction class that looks in
>>
>>
>
>
>
>>the current HttpSession for a role associated with the user (maybe this
>>is part of the "User" object) that matches the role required for the
>>current request (or you can go as fine-grained as you want, with many
>>different permissions to check for a single request) to be granted.
>>
>>All your Action classes extend the BaseAction class. They can invoke the
>>
>>
>
>
>
>>checkLogin and/or the checkPermission methods at the beginning of the
>>execute method to decide whether/how to proceed.
>>
>>Write a LoginAction class that sets the "User" action, along with
>>permissions, roles, etc., whatever else is needed in your checkLogin and
>>
>>
>
>
>
>>checkPermission methods, in the session after login has succeeded (you
>>have taken the entered username and password and matched them
>>successfully against a username and password combination in your
>>database -- typically in a USERS table).
>>
>>Write a Logout Action that invalidates the current session.
>>
>>Alternatively, you could check the login and the permissions the same
>>way, but in a sublass of the Struts RequestProcessor, or in a Servlet
>>Filter, instead of in a BaseAction class.
>>
>>If you want to go with container-managed security and you can use
>>Tomcat, try this (you should probably read it anyway).
>>
>>http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html
>>
>>I also suggest you read the security section of the J2EE tutorial, and
>>the security sections of the JSP and Servlet specifications.
>>
>>If you go with container-managed security, it's real easy to allow/deny
>>entire JSPs, but you still may need to implement finer-grained
>>permissions checks on your own if you need to, for example, show/hide
>>links on a page based on permissions.
>>
>>Erik
>>
>>Leandro Melo wrote:
>>
>>
>>
>>>Erik,
>>>i don't quite understand what you call a hand-rolled
>>>java component (maybe because of my english).
>>>Anyway, it seems to me that you're not using JAAS to
>>>completely control application's security, are u?
>>>I don't know if it possible, but if so, would you post
>>>your setup and basic classes?
>>>I'm very very new at security stuff...
>>>Anyway, i cleared out a lot of things for me.
>>>
>>>Thanks,
>>>Leandro.
>>>
>>>
>>>--- Erik Weber <er...@mindspring.com> escreveu:
>>>
>>>
>>>
>>>
>>>>I don't really consider myself an expert here, but I
>>>>dare say that there
>>>>are a lot of webapps deployed out there using
>>>>programmatic (hand-rolled)
>>>>security successfully. I have used the approach with
>>>>success. What
>>>>exactly the advantages are to using
>>>>container-managed security I am not
>>>>able to fully deduce (except for the obvious -- it's
>>>>nice to declare
>>>>stuff in web.xml in a standardized way -- and that
>>>>perhaps it might make
>>>>Servlets a *little* more portable if you wanted to
>>>>use them among
>>>>different apps). But then again, I haven't had to
>>>>take on a project yet
>>>>where the environment was extremely complicated,
>>>>when it came to how
>>>>users and permissions were managed (typically I see
>>>>the same tried and
>>>>trusted setup -- USER, GROUP, ROLES and PERMISSIONS
>>>>tables in some
>>>>central database, and some hand-rolled Java
>>>>component, used to authorize
>>>>the current request, that is invoked in some
>>>>"common" area, such as a
>>>>Servlet Filter -- or, in Struts, a base Action class
>>>>or a custom
>>>>RequestProcessor). It seems like JAAS is still at an
>>>>immature stage
>>>>perhaps, or at least the state of documenation about
>>>>it is.
>>>>
>>>>The other route it seems you could go is to use a
>>>>container-managed
>>>>login as you suggest, and enjoy using the methods
>>>>such as
>>>>request.isUserInRole instead of invoking security
>>>>methods on a
>>>>hand-rolled component, but I think you will have to
>>>>give up the
>>>>JBoss/Tomcat stack to do this for now (someone
>>>>please correct me if I am
>>>>wrong), because I think there is a security
>>>>integration problem there,
>>>>as I described earlier. I'm guessing Tomcat as stand
>>>>alone might be a
>>>>good way to go though. I have not done this and
>>>>couldn't say whether it
>>>>is "common and usual".
>>>>
>>>>I have tried to write my role-checking methods so
>>>>that in the future if
>>>>I port an application to JAAS I can just refactor
>>>>them to invoke the
>>>>standard methods instead of my own. But like I say,
>>>>I'm far from an
>>>>expert in this area.
>>>>
>>>>Hope that helps,
>>>>
>>>>Erik
>>>>
>>>>Leandro Melo wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>So Erik, is it a common and usual aproach to do
>>>>>
>>>>>
>>>>>
>>>>>
>>>>login
>>>>
>>>>
>>>>
>>>>
>>>>>outside of Struts (ordinary jsps), and then use
>>>>>
>>>>>
>>>>>
>>>>>
>>>>Struts
>>>>
>>>>
>>>>
>>>>
>>>>>afterwards???
>>>>>
>>>>>
>>>>>--- Erik Weber <er...@mindspring.com>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>escreveu:
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Leandro, search the archives of this List for
>>>>>>"JAAS". I participated in
>>>>>>a thread about this within the last two months.
>>>>>>
>>>>>>I'm not sure if I understand exactly what you want
>>>>>>to do, but if you
>>>>>>want to use container-managed security, I don't
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>know
>>>>
>>>>
>>>>
>>>>
>>>>>>of a way to have
>>>>>>your login screen be part of Struts. As far as I
>>>>>>know, you have to let
>>>>>>the container process the request that results
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>from
>>>>
>>>>
>>>>
>>>>
>>>>>>the login screen's
>>>>>>form submittal (I tried having an Action intercept
>>>>>>this request and then
>>>>>>attempt to login with the JBoss JAAS module
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>manually
>>>>
>>>>
>>>>
>>>>
>>>>>>but gave up when I
>>>>>>realized problem # 2 -- below).
>>>>>>
>>>>>>Another problem you are probably going to run into
>>>>>>is that the JBoss
>>>>>>security context is not propagated to Tomcat, and
>>>>>>vice versa, as far as
>>>>>>I know. So if you authenticate using JBoss JAAS,
>>>>>>Tomcat won't know about
>>>>>>it, and the methods such as request.isUserInRole
>>>>>>aren't going to do you
>>>>>>any good (although you would presumably be able to
>>>>>>use the similar
>>>>>>methods on EJBs, because they are running within
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>the
>>>>
>>>>
>>>>
>>>>
>>>>>>JBoss security
>>>>>>context).
>>>>>>
>>>>>>I found JAAS to be a nightmare, though a couple
>>>>>>people gave me possible
>>>>>>solutions to the problems I mentioned in the
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>thread
>>>>
>>>>
>>>>
>>>>
>>>>>>(one would be
>>>>>>intercepting the login screen request and then
>>>>>>manually logging in with
>>>>>>both JBoss JAAS as well as Tomcat JAAS modules --
>>>>>>but I don't know if
>>>>>>this has been done). I presume it's a much easier
>>>>>>endeavor if you are
>>>>>>just using Tomcat stand alone, but I'll let Craig
>>>>>>address that if he
>>>>>>wants, because I've never tried it.
>>>>>>
>>>>>>Erik
>>>>>>
>>>>>>
>>>>>>Leandro Melo wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Or i just extend the DatabaseServerLoginModule
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>class
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>and leave an empty class????
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>--- Leandro Melo <lt...@yahoo.com.br>
>>>>>>>escreveu:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>Just complementing my question...
>>>>>>>>
>>>>>>>>Would it be fair if i copy JBoss'
>>>>>>>>DatabaseServerLoginModule code and place it
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>inside
>>>>
>>>>
>>>>
>>>>
>>>>>>>>an
>>>>>>>>Action???
>>>>>>>>
>>>>>>>>This way, i'll have an Action (for example,
>>>>>>>>MyLoginAction) that does exactly what
>>>>>>>>DatabaseServerLoginModule does.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>--- Leandro Melo <lt...@yahoo.com.br>
>>>>>>>>escreveu:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>Please help me out here!
>>>>>>>>>I'm very new with jaas, so i need some help.
>>>>>>>>>
>>>>>>>>>I got a simple login that is working fine for
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>me,
>>>>
>>>>
>>>>
>>>>
>>>>>>>>>here
>>>>>>>>>it is:
>>>>>>>>>
>>>>>>>>>...
>>>>>>>>><FORM action='<%=
>>>>>>>>>response.encodeURL("j_security_check")%>'
>>>>>>>>> method="get">
>>>>>>>>> <!-- esses nomes tem q ser assim ->
>>>>>>>>>
>>>>>>>>>
>>>>>>>>j_username
>>>>>>>>-->
>>>>>>>>
>>>>>>>>
>>>>>>>>> NOME:<INPUT type="text" name="j_username"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>/>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> <!-- tem q ser j_password -->
>>>>>>>>> SENHA: <INPUT type="password"
>>>>>>>>>name="j_password"
>>>>>>>>>/>
>>>>>>>>> <INPUT type="submit" value="Login" />
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>=== message truncated ===
>>>
>>>
>>>
>>>
>>>
>>>_______________________________________________________
>>>Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
>>>http://br.acesso.yahoo.com/
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>>For additional commands, e-mail: user-help@struts.apache.org
>>>
>>>
>>>
>>>
>>>
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>>
>>
>>
>_____________________________________________________________________________
>
>
>>Scanned for SoftLanding Systems, Inc. by IBM Email Security
>>Management Services powered by MessageLabs.
>>
>>
>>
>_____________________________________________________________________________
>
>
>_____________________________________________________________________________
>Scanned for SoftLanding Systems, Inc. by IBM Email Security Management Services powered by MessageLabs.
>_____________________________________________________________________________
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Security - From tradition to struts
Posted by Daniel Perry <d....@netcase.co.uk>.
You can also put an execute method in the base action that does the
'logged-in' check, and use a global forward to forward to login page.
If you do this, then add an abstract method eg executeAction with the same
signature as execute, and call it.
The main advantage of this is to stop you forgetting to make the required
security calls at the beggining of the subclassed action!
Daniel.
> -----Original Message-----
> From: Susan Bradeen [mailto:SusanB@softlanding.com]
> Sent: 19 August 2004 15:17
> To: Struts Users Mailing List
> Subject: Re: Security - From tradition to struts
>
>
> Excellent explanation, Erik. Consider adding this to the Struts Wiki for
> posterity? Must be a place for it in there somewhere ...
>
> Erik Weber <er...@mindspring.com> wrote on 08/19/2004 08:31:08 AM:
>
> > Sorry, by "hand-rolled" I just mean one that is written
> specifically for
>
> > the application (written by you).
> >
> > The general idea is something like this:
> >
> > Make a BaseAction class.
> >
> > Implement a checkLogin method in the BaseAction class that looks in the
> > current request's HttpSession for a "User" object, which you would have
> > placed into the session in your LoginAction.
> > Implement a checkPermission method in the BaseAction class that
> looks in
>
> > the current HttpSession for a role associated with the user (maybe this
> > is part of the "User" object) that matches the role required for the
> > current request (or you can go as fine-grained as you want, with many
> > different permissions to check for a single request) to be granted.
> >
> > All your Action classes extend the BaseAction class. They can
> invoke the
>
> > checkLogin and/or the checkPermission methods at the beginning of the
> > execute method to decide whether/how to proceed.
> >
> > Write a LoginAction class that sets the "User" action, along with
> > permissions, roles, etc., whatever else is needed in your
> checkLogin and
>
> > checkPermission methods, in the session after login has succeeded (you
> > have taken the entered username and password and matched them
> > successfully against a username and password combination in your
> > database -- typically in a USERS table).
> >
> > Write a Logout Action that invalidates the current session.
> >
> > Alternatively, you could check the login and the permissions the same
> > way, but in a sublass of the Struts RequestProcessor, or in a Servlet
> > Filter, instead of in a BaseAction class.
> >
> > If you want to go with container-managed security and you can use
> > Tomcat, try this (you should probably read it anyway).
> >
> > http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html
> >
> > I also suggest you read the security section of the J2EE tutorial, and
> > the security sections of the JSP and Servlet specifications.
> >
> > If you go with container-managed security, it's real easy to allow/deny
> > entire JSPs, but you still may need to implement finer-grained
> > permissions checks on your own if you need to, for example, show/hide
> > links on a page based on permissions.
> >
> > Erik
> >
> > Leandro Melo wrote:
> >
> > >Erik,
> > >i don't quite understand what you call a hand-rolled
> > >java component (maybe because of my english).
> > >Anyway, it seems to me that you're not using JAAS to
> > >completely control application's security, are u?
> > >I don't know if it possible, but if so, would you post
> > >your setup and basic classes?
> > >I'm very very new at security stuff...
> > >Anyway, i cleared out a lot of things for me.
> > >
> > >Thanks,
> > >Leandro.
> > >
> > >
> > > --- Erik Weber <er...@mindspring.com> escreveu:
> > >
> > >
> > >>I don't really consider myself an expert here, but I
> > >>dare say that there
> > >>are a lot of webapps deployed out there using
> > >>programmatic (hand-rolled)
> > >>security successfully. I have used the approach with
> > >>success. What
> > >>exactly the advantages are to using
> > >>container-managed security I am not
> > >>able to fully deduce (except for the obvious -- it's
> > >>nice to declare
> > >>stuff in web.xml in a standardized way -- and that
> > >>perhaps it might make
> > >>Servlets a *little* more portable if you wanted to
> > >>use them among
> > >>different apps). But then again, I haven't had to
> > >>take on a project yet
> > >>where the environment was extremely complicated,
> > >>when it came to how
> > >>users and permissions were managed (typically I see
> > >>the same tried and
> > >>trusted setup -- USER, GROUP, ROLES and PERMISSIONS
> > >>tables in some
> > >>central database, and some hand-rolled Java
> > >>component, used to authorize
> > >>the current request, that is invoked in some
> > >>"common" area, such as a
> > >>Servlet Filter -- or, in Struts, a base Action class
> > >>or a custom
> > >>RequestProcessor). It seems like JAAS is still at an
> > >>immature stage
> > >>perhaps, or at least the state of documenation about
> > >>it is.
> > >>
> > >>The other route it seems you could go is to use a
> > >>container-managed
> > >>login as you suggest, and enjoy using the methods
> > >>such as
> > >>request.isUserInRole instead of invoking security
> > >>methods on a
> > >>hand-rolled component, but I think you will have to
> > >>give up the
> > >>JBoss/Tomcat stack to do this for now (someone
> > >>please correct me if I am
> > >>wrong), because I think there is a security
> > >>integration problem there,
> > >>as I described earlier. I'm guessing Tomcat as stand
> > >>alone might be a
> > >>good way to go though. I have not done this and
> > >>couldn't say whether it
> > >>is "common and usual".
> > >>
> > >>I have tried to write my role-checking methods so
> > >>that in the future if
> > >>I port an application to JAAS I can just refactor
> > >>them to invoke the
> > >>standard methods instead of my own. But like I say,
> > >>I'm far from an
> > >>expert in this area.
> > >>
> > >>Hope that helps,
> > >>
> > >>Erik
> > >>
> > >>Leandro Melo wrote:
> > >>
> > >>
> > >>
> > >>>So Erik, is it a common and usual aproach to do
> > >>>
> > >>>
> > >>login
> > >>
> > >>
> > >>>outside of Struts (ordinary jsps), and then use
> > >>>
> > >>>
> > >>Struts
> > >>
> > >>
> > >>>afterwards???
> > >>>
> > >>>
> > >>>--- Erik Weber <er...@mindspring.com>
> > >>>
> > >>>
> > >>escreveu:
> > >>
> > >>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>>Leandro, search the archives of this List for
> > >>>>"JAAS". I participated in
> > >>>>a thread about this within the last two months.
> > >>>>
> > >>>>I'm not sure if I understand exactly what you want
> > >>>>to do, but if you
> > >>>>want to use container-managed security, I don't
> > >>>>
> > >>>>
> > >>know
> > >>
> > >>
> > >>>>of a way to have
> > >>>>your login screen be part of Struts. As far as I
> > >>>>know, you have to let
> > >>>>the container process the request that results
> > >>>>
> > >>>>
> > >>from
> > >>
> > >>
> > >>>>the login screen's
> > >>>>form submittal (I tried having an Action intercept
> > >>>>this request and then
> > >>>>attempt to login with the JBoss JAAS module
> > >>>>
> > >>>>
> > >>manually
> > >>
> > >>
> > >>>>but gave up when I
> > >>>>realized problem # 2 -- below).
> > >>>>
> > >>>>Another problem you are probably going to run into
> > >>>>is that the JBoss
> > >>>>security context is not propagated to Tomcat, and
> > >>>>vice versa, as far as
> > >>>>I know. So if you authenticate using JBoss JAAS,
> > >>>>Tomcat won't know about
> > >>>>it, and the methods such as request.isUserInRole
> > >>>>aren't going to do you
> > >>>>any good (although you would presumably be able to
> > >>>>use the similar
> > >>>>methods on EJBs, because they are running within
> > >>>>
> > >>>>
> > >>the
> > >>
> > >>
> > >>>>JBoss security
> > >>>>context).
> > >>>>
> > >>>>I found JAAS to be a nightmare, though a couple
> > >>>>people gave me possible
> > >>>>solutions to the problems I mentioned in the
> > >>>>
> > >>>>
> > >>thread
> > >>
> > >>
> > >>>>(one would be
> > >>>>intercepting the login screen request and then
> > >>>>manually logging in with
> > >>>>both JBoss JAAS as well as Tomcat JAAS modules --
> > >>>>but I don't know if
> > >>>>this has been done). I presume it's a much easier
> > >>>>endeavor if you are
> > >>>>just using Tomcat stand alone, but I'll let Craig
> > >>>>address that if he
> > >>>>wants, because I've never tried it.
> > >>>>
> > >>>>Erik
> > >>>>
> > >>>>
> > >>>>Leandro Melo wrote:
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>>Or i just extend the DatabaseServerLoginModule
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>class
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>>and leave an empty class????
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>--- Leandro Melo <lt...@yahoo.com.br>
> > >>>>>escreveu:
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>>Just complementing my question...
> > >>>>>>
> > >>>>>>Would it be fair if i copy JBoss'
> > >>>>>>DatabaseServerLoginModule code and place it
> > >>>>>>
> > >>>>>>
> > >>inside
> > >>
> > >>
> > >>>>>>an
> > >>>>>>Action???
> > >>>>>>
> > >>>>>>This way, i'll have an Action (for example,
> > >>>>>>MyLoginAction) that does exactly what
> > >>>>>>DatabaseServerLoginModule does.
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>--- Leandro Melo <lt...@yahoo.com.br>
> > >>>>>>escreveu:
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>>Please help me out here!
> > >>>>>>>I'm very new with jaas, so i need some help.
> > >>>>>>>
> > >>>>>>>I got a simple login that is working fine for
> > >>>>>>>
> > >>>>>>>
> > >>me,
> > >>
> > >>
> > >>>>>>>here
> > >>>>>>>it is:
> > >>>>>>>
> > >>>>>>>...
> > >>>>>>><FORM action='<%=
> > >>>>>>>response.encodeURL("j_security_check")%>'
> > >>>>>>> method="get">
> > >>>>>>> <!-- esses nomes tem q ser assim ->
> >>>>>>>j_username
> >>>>>>>-->
> > >>>>>>> NOME:<INPUT type="text" name="j_username"
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>/>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>>
> > >>>>>>> <!-- tem q ser j_password -->
> > >>>>>>> SENHA: <INPUT type="password"
> > >>>>>>>name="j_password"
> > >>>>>>>/>
> > >>>>>>> <INPUT type="submit" value="Login" />
> > >>>>>>>
> > >>>>>>>
> > >=== message truncated ===
> > >
> > >
> > >
> > >
> > >
> > >_______________________________________________________
> > >Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
> > >http://br.acesso.yahoo.com/
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > >For additional commands, e-mail: user-help@struts.apache.org
> > >
> > >
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
> >
> __________________________________________________________________
> ___________
> > Scanned for SoftLanding Systems, Inc. by IBM Email Security
> > Management Services powered by MessageLabs.
> >
> __________________________________________________________________
> ___________
>
>
> __________________________________________________________________
> ___________
> Scanned for SoftLanding Systems, Inc. by IBM Email Security
> Management Services powered by MessageLabs.
> __________________________________________________________________
> ___________
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Security - From tradition to struts
Posted by Susan Bradeen <Su...@softlanding.com>.
Excellent explanation, Erik. Consider adding this to the Struts Wiki for
posterity? Must be a place for it in there somewhere ...
Erik Weber <er...@mindspring.com> wrote on 08/19/2004 08:31:08 AM:
> Sorry, by "hand-rolled" I just mean one that is written specifically for
> the application (written by you).
>
> The general idea is something like this:
>
> Make a BaseAction class.
>
> Implement a checkLogin method in the BaseAction class that looks in the
> current request's HttpSession for a "User" object, which you would have
> placed into the session in your LoginAction.
> Implement a checkPermission method in the BaseAction class that looks in
> the current HttpSession for a role associated with the user (maybe this
> is part of the "User" object) that matches the role required for the
> current request (or you can go as fine-grained as you want, with many
> different permissions to check for a single request) to be granted.
>
> All your Action classes extend the BaseAction class. They can invoke the
> checkLogin and/or the checkPermission methods at the beginning of the
> execute method to decide whether/how to proceed.
>
> Write a LoginAction class that sets the "User" action, along with
> permissions, roles, etc., whatever else is needed in your checkLogin and
> checkPermission methods, in the session after login has succeeded (you
> have taken the entered username and password and matched them
> successfully against a username and password combination in your
> database -- typically in a USERS table).
>
> Write a Logout Action that invalidates the current session.
>
> Alternatively, you could check the login and the permissions the same
> way, but in a sublass of the Struts RequestProcessor, or in a Servlet
> Filter, instead of in a BaseAction class.
>
> If you want to go with container-managed security and you can use
> Tomcat, try this (you should probably read it anyway).
>
> http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html
>
> I also suggest you read the security section of the J2EE tutorial, and
> the security sections of the JSP and Servlet specifications.
>
> If you go with container-managed security, it's real easy to allow/deny
> entire JSPs, but you still may need to implement finer-grained
> permissions checks on your own if you need to, for example, show/hide
> links on a page based on permissions.
>
> Erik
>
> Leandro Melo wrote:
>
> >Erik,
> >i don't quite understand what you call a hand-rolled
> >java component (maybe because of my english).
> >Anyway, it seems to me that you're not using JAAS to
> >completely control application's security, are u?
> >I don't know if it possible, but if so, would you post
> >your setup and basic classes?
> >I'm very very new at security stuff...
> >Anyway, i cleared out a lot of things for me.
> >
> >Thanks,
> >Leandro.
> >
> >
> > --- Erik Weber <er...@mindspring.com> escreveu:
> >
> >
> >>I don't really consider myself an expert here, but I
> >>dare say that there
> >>are a lot of webapps deployed out there using
> >>programmatic (hand-rolled)
> >>security successfully. I have used the approach with
> >>success. What
> >>exactly the advantages are to using
> >>container-managed security I am not
> >>able to fully deduce (except for the obvious -- it's
> >>nice to declare
> >>stuff in web.xml in a standardized way -- and that
> >>perhaps it might make
> >>Servlets a *little* more portable if you wanted to
> >>use them among
> >>different apps). But then again, I haven't had to
> >>take on a project yet
> >>where the environment was extremely complicated,
> >>when it came to how
> >>users and permissions were managed (typically I see
> >>the same tried and
> >>trusted setup -- USER, GROUP, ROLES and PERMISSIONS
> >>tables in some
> >>central database, and some hand-rolled Java
> >>component, used to authorize
> >>the current request, that is invoked in some
> >>"common" area, such as a
> >>Servlet Filter -- or, in Struts, a base Action class
> >>or a custom
> >>RequestProcessor). It seems like JAAS is still at an
> >>immature stage
> >>perhaps, or at least the state of documenation about
> >>it is.
> >>
> >>The other route it seems you could go is to use a
> >>container-managed
> >>login as you suggest, and enjoy using the methods
> >>such as
> >>request.isUserInRole instead of invoking security
> >>methods on a
> >>hand-rolled component, but I think you will have to
> >>give up the
> >>JBoss/Tomcat stack to do this for now (someone
> >>please correct me if I am
> >>wrong), because I think there is a security
> >>integration problem there,
> >>as I described earlier. I'm guessing Tomcat as stand
> >>alone might be a
> >>good way to go though. I have not done this and
> >>couldn't say whether it
> >>is "common and usual".
> >>
> >>I have tried to write my role-checking methods so
> >>that in the future if
> >>I port an application to JAAS I can just refactor
> >>them to invoke the
> >>standard methods instead of my own. But like I say,
> >>I'm far from an
> >>expert in this area.
> >>
> >>Hope that helps,
> >>
> >>Erik
> >>
> >>Leandro Melo wrote:
> >>
> >>
> >>
> >>>So Erik, is it a common and usual aproach to do
> >>>
> >>>
> >>login
> >>
> >>
> >>>outside of Struts (ordinary jsps), and then use
> >>>
> >>>
> >>Struts
> >>
> >>
> >>>afterwards???
> >>>
> >>>
> >>>--- Erik Weber <er...@mindspring.com>
> >>>
> >>>
> >>escreveu:
> >>
> >>
> >>>
> >>>
> >>>
> >>>
> >>>>Leandro, search the archives of this List for
> >>>>"JAAS". I participated in
> >>>>a thread about this within the last two months.
> >>>>
> >>>>I'm not sure if I understand exactly what you want
> >>>>to do, but if you
> >>>>want to use container-managed security, I don't
> >>>>
> >>>>
> >>know
> >>
> >>
> >>>>of a way to have
> >>>>your login screen be part of Struts. As far as I
> >>>>know, you have to let
> >>>>the container process the request that results
> >>>>
> >>>>
> >>from
> >>
> >>
> >>>>the login screen's
> >>>>form submittal (I tried having an Action intercept
> >>>>this request and then
> >>>>attempt to login with the JBoss JAAS module
> >>>>
> >>>>
> >>manually
> >>
> >>
> >>>>but gave up when I
> >>>>realized problem # 2 -- below).
> >>>>
> >>>>Another problem you are probably going to run into
> >>>>is that the JBoss
> >>>>security context is not propagated to Tomcat, and
> >>>>vice versa, as far as
> >>>>I know. So if you authenticate using JBoss JAAS,
> >>>>Tomcat won't know about
> >>>>it, and the methods such as request.isUserInRole
> >>>>aren't going to do you
> >>>>any good (although you would presumably be able to
> >>>>use the similar
> >>>>methods on EJBs, because they are running within
> >>>>
> >>>>
> >>the
> >>
> >>
> >>>>JBoss security
> >>>>context).
> >>>>
> >>>>I found JAAS to be a nightmare, though a couple
> >>>>people gave me possible
> >>>>solutions to the problems I mentioned in the
> >>>>
> >>>>
> >>thread
> >>
> >>
> >>>>(one would be
> >>>>intercepting the login screen request and then
> >>>>manually logging in with
> >>>>both JBoss JAAS as well as Tomcat JAAS modules --
> >>>>but I don't know if
> >>>>this has been done). I presume it's a much easier
> >>>>endeavor if you are
> >>>>just using Tomcat stand alone, but I'll let Craig
> >>>>address that if he
> >>>>wants, because I've never tried it.
> >>>>
> >>>>Erik
> >>>>
> >>>>
> >>>>Leandro Melo wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>Or i just extend the DatabaseServerLoginModule
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>class
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>and leave an empty class????
> >>>>>
> >>>>>
> >>>>>
> >>>>>--- Leandro Melo <lt...@yahoo.com.br>
> >>>>>escreveu:
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>Just complementing my question...
> >>>>>>
> >>>>>>Would it be fair if i copy JBoss'
> >>>>>>DatabaseServerLoginModule code and place it
> >>>>>>
> >>>>>>
> >>inside
> >>
> >>
> >>>>>>an
> >>>>>>Action???
> >>>>>>
> >>>>>>This way, i'll have an Action (for example,
> >>>>>>MyLoginAction) that does exactly what
> >>>>>>DatabaseServerLoginModule does.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>--- Leandro Melo <lt...@yahoo.com.br>
> >>>>>>escreveu:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>Please help me out here!
> >>>>>>>I'm very new with jaas, so i need some help.
> >>>>>>>
> >>>>>>>I got a simple login that is working fine for
> >>>>>>>
> >>>>>>>
> >>me,
> >>
> >>
> >>>>>>>here
> >>>>>>>it is:
> >>>>>>>
> >>>>>>>...
> >>>>>>><FORM action='<%=
> >>>>>>>response.encodeURL("j_security_check")%>'
> >>>>>>> method="get">
> >>>>>>> <!-- esses nomes tem q ser assim ->
>>>>>>>j_username
>>>>>>>-->
> >>>>>>> NOME:<INPUT type="text" name="j_username"
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>/>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>
> >>>>>>> <!-- tem q ser j_password -->
> >>>>>>> SENHA: <INPUT type="password"
> >>>>>>>name="j_password"
> >>>>>>>/>
> >>>>>>> <INPUT type="submit" value="Login" />
> >>>>>>>
> >>>>>>>
> >=== message truncated ===
> >
> >
> >
> >
> >
> >_______________________________________________________
> >Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
> >http://br.acesso.yahoo.com/
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >For additional commands, e-mail: user-help@struts.apache.org
> >
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
_____________________________________________________________________________
> Scanned for SoftLanding Systems, Inc. by IBM Email Security
> Management Services powered by MessageLabs.
>
_____________________________________________________________________________
_____________________________________________________________________________
Scanned for SoftLanding Systems, Inc. by IBM Email Security Management Services powered by MessageLabs.
_____________________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Security - From tradition to struts
Posted by Erik Weber <er...@mindspring.com>.
Sorry, by "hand-rolled" I just mean one that is written specifically for
the application (written by you).
The general idea is something like this:
Make a BaseAction class.
Implement a checkLogin method in the BaseAction class that looks in the
current request's HttpSession for a "User" object, which you would have
placed into the session in your LoginAction.
Implement a checkPermission method in the BaseAction class that looks in
the current HttpSession for a role associated with the user (maybe this
is part of the "User" object) that matches the role required for the
current request (or you can go as fine-grained as you want, with many
different permissions to check for a single request) to be granted.
All your Action classes extend the BaseAction class. They can invoke the
checkLogin and/or the checkPermission methods at the beginning of the
execute method to decide whether/how to proceed.
Write a LoginAction class that sets the "User" action, along with
permissions, roles, etc., whatever else is needed in your checkLogin and
checkPermission methods, in the session after login has succeeded (you
have taken the entered username and password and matched them
successfully against a username and password combination in your
database -- typically in a USERS table).
Write a Logout Action that invalidates the current session.
Alternatively, you could check the login and the permissions the same
way, but in a sublass of the Struts RequestProcessor, or in a Servlet
Filter, instead of in a BaseAction class.
If you want to go with container-managed security and you can use
Tomcat, try this (you should probably read it anyway).
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html
I also suggest you read the security section of the J2EE tutorial, and
the security sections of the JSP and Servlet specifications.
If you go with container-managed security, it's real easy to allow/deny
entire JSPs, but you still may need to implement finer-grained
permissions checks on your own if you need to, for example, show/hide
links on a page based on permissions.
Erik
Leandro Melo wrote:
>Erik,
>i don't quite understand what you call a hand-rolled
>java component (maybe because of my english).
>Anyway, it seems to me that you're not using JAAS to
>completely control application's security, are u?
>I don't know if it possible, but if so, would you post
>your setup and basic classes?
>I'm very very new at security stuff...
>Anyway, i cleared out a lot of things for me.
>
>Thanks,
>Leandro.
>
>
> --- Erik Weber <er...@mindspring.com> escreveu:
>
>
>>I don't really consider myself an expert here, but I
>>dare say that there
>>are a lot of webapps deployed out there using
>>programmatic (hand-rolled)
>>security successfully. I have used the approach with
>>success. What
>>exactly the advantages are to using
>>container-managed security I am not
>>able to fully deduce (except for the obvious -- it's
>>nice to declare
>>stuff in web.xml in a standardized way -- and that
>>perhaps it might make
>>Servlets a *little* more portable if you wanted to
>>use them among
>>different apps). But then again, I haven't had to
>>take on a project yet
>>where the environment was extremely complicated,
>>when it came to how
>>users and permissions were managed (typically I see
>>the same tried and
>>trusted setup -- USER, GROUP, ROLES and PERMISSIONS
>>tables in some
>>central database, and some hand-rolled Java
>>component, used to authorize
>>the current request, that is invoked in some
>>"common" area, such as a
>>Servlet Filter -- or, in Struts, a base Action class
>>or a custom
>>RequestProcessor). It seems like JAAS is still at an
>>immature stage
>>perhaps, or at least the state of documenation about
>>it is.
>>
>>The other route it seems you could go is to use a
>>container-managed
>>login as you suggest, and enjoy using the methods
>>such as
>>request.isUserInRole instead of invoking security
>>methods on a
>>hand-rolled component, but I think you will have to
>>give up the
>>JBoss/Tomcat stack to do this for now (someone
>>please correct me if I am
>>wrong), because I think there is a security
>>integration problem there,
>>as I described earlier. I'm guessing Tomcat as stand
>>alone might be a
>>good way to go though. I have not done this and
>>couldn't say whether it
>>is "common and usual".
>>
>>I have tried to write my role-checking methods so
>>that in the future if
>>I port an application to JAAS I can just refactor
>>them to invoke the
>>standard methods instead of my own. But like I say,
>>I'm far from an
>>expert in this area.
>>
>>Hope that helps,
>>
>>Erik
>>
>>Leandro Melo wrote:
>>
>>
>>
>>>So Erik, is it a common and usual aproach to do
>>>
>>>
>>login
>>
>>
>>>outside of Struts (ordinary jsps), and then use
>>>
>>>
>>Struts
>>
>>
>>>afterwards???
>>>
>>>
>>>--- Erik Weber <er...@mindspring.com>
>>>
>>>
>>escreveu:
>>
>>
>>>
>>>
>>>
>>>
>>>>Leandro, search the archives of this List for
>>>>"JAAS". I participated in
>>>>a thread about this within the last two months.
>>>>
>>>>I'm not sure if I understand exactly what you want
>>>>to do, but if you
>>>>want to use container-managed security, I don't
>>>>
>>>>
>>know
>>
>>
>>>>of a way to have
>>>>your login screen be part of Struts. As far as I
>>>>know, you have to let
>>>>the container process the request that results
>>>>
>>>>
>>from
>>
>>
>>>>the login screen's
>>>>form submittal (I tried having an Action intercept
>>>>this request and then
>>>>attempt to login with the JBoss JAAS module
>>>>
>>>>
>>manually
>>
>>
>>>>but gave up when I
>>>>realized problem # 2 -- below).
>>>>
>>>>Another problem you are probably going to run into
>>>>is that the JBoss
>>>>security context is not propagated to Tomcat, and
>>>>vice versa, as far as
>>>>I know. So if you authenticate using JBoss JAAS,
>>>>Tomcat won't know about
>>>>it, and the methods such as request.isUserInRole
>>>>aren't going to do you
>>>>any good (although you would presumably be able to
>>>>use the similar
>>>>methods on EJBs, because they are running within
>>>>
>>>>
>>the
>>
>>
>>>>JBoss security
>>>>context).
>>>>
>>>>I found JAAS to be a nightmare, though a couple
>>>>people gave me possible
>>>>solutions to the problems I mentioned in the
>>>>
>>>>
>>thread
>>
>>
>>>>(one would be
>>>>intercepting the login screen request and then
>>>>manually logging in with
>>>>both JBoss JAAS as well as Tomcat JAAS modules --
>>>>but I don't know if
>>>>this has been done). I presume it's a much easier
>>>>endeavor if you are
>>>>just using Tomcat stand alone, but I'll let Craig
>>>>address that if he
>>>>wants, because I've never tried it.
>>>>
>>>>Erik
>>>>
>>>>
>>>>Leandro Melo wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Or i just extend the DatabaseServerLoginModule
>>>>>
>>>>>
>>>>>
>>>>>
>>>>class
>>>>
>>>>
>>>>
>>>>
>>>>>and leave an empty class????
>>>>>
>>>>>
>>>>>
>>>>>--- Leandro Melo <lt...@yahoo.com.br>
>>>>>escreveu:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Just complementing my question...
>>>>>>
>>>>>>Would it be fair if i copy JBoss'
>>>>>>DatabaseServerLoginModule code and place it
>>>>>>
>>>>>>
>>inside
>>
>>
>>>>>>an
>>>>>>Action???
>>>>>>
>>>>>>This way, i'll have an Action (for example,
>>>>>>MyLoginAction) that does exactly what
>>>>>>DatabaseServerLoginModule does.
>>>>>>
>>>>>>
>>>>>>
>>>>>>--- Leandro Melo <lt...@yahoo.com.br>
>>>>>>escreveu:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Please help me out here!
>>>>>>>I'm very new with jaas, so i need some help.
>>>>>>>
>>>>>>>I got a simple login that is working fine for
>>>>>>>
>>>>>>>
>>me,
>>
>>
>>>>>>>here
>>>>>>>it is:
>>>>>>>
>>>>>>>...
>>>>>>><FORM action='<%=
>>>>>>>response.encodeURL("j_security_check")%>'
>>>>>>> method="get">
>>>>>>> <!-- esses nomes tem q ser assim ->
>>>>>>>j_username
>>>>>>>-->
>>>>>>> NOME:<INPUT type="text" name="j_username"
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>/>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> <!-- tem q ser j_password -->
>>>>>>> SENHA: <INPUT type="password"
>>>>>>>name="j_password"
>>>>>>>/>
>>>>>>> <INPUT type="submit" value="Login" />
>>>>>>>
>>>>>>>
>=== message truncated ===
>
>
>
>
>
>_______________________________________________________
>Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
>http://br.acesso.yahoo.com/
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Security - From tradition to struts
Posted by Leandro Melo <lt...@yahoo.com.br>.
Erik,
i don't quite understand what you call a hand-rolled
java component (maybe because of my english).
Anyway, it seems to me that you're not using JAAS to
completely control application's security, are u?
I don't know if it possible, but if so, would you post
your setup and basic classes?
I'm very very new at security stuff...
Anyway, i cleared out a lot of things for me.
Thanks,
Leandro.
--- Erik Weber <er...@mindspring.com> escreveu:
> I don't really consider myself an expert here, but I
> dare say that there
> are a lot of webapps deployed out there using
> programmatic (hand-rolled)
> security successfully. I have used the approach with
> success. What
> exactly the advantages are to using
> container-managed security I am not
> able to fully deduce (except for the obvious -- it's
> nice to declare
> stuff in web.xml in a standardized way -- and that
> perhaps it might make
> Servlets a *little* more portable if you wanted to
> use them among
> different apps). But then again, I haven't had to
> take on a project yet
> where the environment was extremely complicated,
> when it came to how
> users and permissions were managed (typically I see
> the same tried and
> trusted setup -- USER, GROUP, ROLES and PERMISSIONS
> tables in some
> central database, and some hand-rolled Java
> component, used to authorize
> the current request, that is invoked in some
> "common" area, such as a
> Servlet Filter -- or, in Struts, a base Action class
> or a custom
> RequestProcessor). It seems like JAAS is still at an
> immature stage
> perhaps, or at least the state of documenation about
> it is.
>
> The other route it seems you could go is to use a
> container-managed
> login as you suggest, and enjoy using the methods
> such as
> request.isUserInRole instead of invoking security
> methods on a
> hand-rolled component, but I think you will have to
> give up the
> JBoss/Tomcat stack to do this for now (someone
> please correct me if I am
> wrong), because I think there is a security
> integration problem there,
> as I described earlier. I'm guessing Tomcat as stand
> alone might be a
> good way to go though. I have not done this and
> couldn't say whether it
> is "common and usual".
>
> I have tried to write my role-checking methods so
> that in the future if
> I port an application to JAAS I can just refactor
> them to invoke the
> standard methods instead of my own. But like I say,
> I'm far from an
> expert in this area.
>
> Hope that helps,
>
> Erik
>
> Leandro Melo wrote:
>
> >So Erik, is it a common and usual aproach to do
> login
> >outside of Struts (ordinary jsps), and then use
> Struts
> >afterwards???
> >
> >
> > --- Erik Weber <er...@mindspring.com>
> escreveu:
> >
> >
> >>Leandro, search the archives of this List for
> >>"JAAS". I participated in
> >>a thread about this within the last two months.
> >>
> >>I'm not sure if I understand exactly what you want
> >>to do, but if you
> >>want to use container-managed security, I don't
> know
> >>of a way to have
> >>your login screen be part of Struts. As far as I
> >>know, you have to let
> >>the container process the request that results
> from
> >>the login screen's
> >>form submittal (I tried having an Action intercept
> >>this request and then
> >>attempt to login with the JBoss JAAS module
> manually
> >>but gave up when I
> >>realized problem # 2 -- below).
> >>
> >>Another problem you are probably going to run into
> >>is that the JBoss
> >>security context is not propagated to Tomcat, and
> >>vice versa, as far as
> >>I know. So if you authenticate using JBoss JAAS,
> >>Tomcat won't know about
> >>it, and the methods such as request.isUserInRole
> >>aren't going to do you
> >>any good (although you would presumably be able to
> >>use the similar
> >>methods on EJBs, because they are running within
> the
> >>JBoss security
> >>context).
> >>
> >>I found JAAS to be a nightmare, though a couple
> >>people gave me possible
> >>solutions to the problems I mentioned in the
> thread
> >>(one would be
> >>intercepting the login screen request and then
> >>manually logging in with
> >>both JBoss JAAS as well as Tomcat JAAS modules --
> >>but I don't know if
> >>this has been done). I presume it's a much easier
> >>endeavor if you are
> >>just using Tomcat stand alone, but I'll let Craig
> >>address that if he
> >>wants, because I've never tried it.
> >>
> >>Erik
> >>
> >>
> >>Leandro Melo wrote:
> >>
> >>
> >>
> >>>Or i just extend the DatabaseServerLoginModule
> >>>
> >>>
> >>class
> >>
> >>
> >>>and leave an empty class????
> >>>
> >>>
> >>>
> >>>--- Leandro Melo <lt...@yahoo.com.br>
> >>>escreveu:
> >>>
> >>>
> >>>
> >>>
> >>>>Just complementing my question...
> >>>>
> >>>>Would it be fair if i copy JBoss'
> >>>>DatabaseServerLoginModule code and place it
> inside
> >>>>an
> >>>>Action???
> >>>>
> >>>>This way, i'll have an Action (for example,
> >>>>MyLoginAction) that does exactly what
> >>>>DatabaseServerLoginModule does.
> >>>>
> >>>>
> >>>>
> >>>>--- Leandro Melo <lt...@yahoo.com.br>
> >>>>escreveu:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>Please help me out here!
> >>>>>I'm very new with jaas, so i need some help.
> >>>>>
> >>>>>I got a simple login that is working fine for
> me,
> >>>>>here
> >>>>>it is:
> >>>>>
> >>>>>...
> >>>>><FORM action='<%=
> >>>>>response.encodeURL("j_security_check")%>'
> >>>>> method="get">
> >>>>> <!-- esses nomes tem q ser assim ->
> >>>>>j_username
> >>>>>-->
> >>>>> NOME:<INPUT type="text" name="j_username"
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>/>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>
> >>>>> <!-- tem q ser j_password -->
> >>>>> SENHA: <INPUT type="password"
> >>>>>name="j_password"
> >>>>>/>
> >>>>> <INPUT type="submit" value="Login" />
>
=== message truncated ===
_______________________________________________________
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
http://br.acesso.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Security - From tradition to struts
Posted by Erik Weber <er...@mindspring.com>.
I don't really consider myself an expert here, but I dare say that there
are a lot of webapps deployed out there using programmatic (hand-rolled)
security successfully. I have used the approach with success. What
exactly the advantages are to using container-managed security I am not
able to fully deduce (except for the obvious -- it's nice to declare
stuff in web.xml in a standardized way -- and that perhaps it might make
Servlets a *little* more portable if you wanted to use them among
different apps). But then again, I haven't had to take on a project yet
where the environment was extremely complicated, when it came to how
users and permissions were managed (typically I see the same tried and
trusted setup -- USER, GROUP, ROLES and PERMISSIONS tables in some
central database, and some hand-rolled Java component, used to authorize
the current request, that is invoked in some "common" area, such as a
Servlet Filter -- or, in Struts, a base Action class or a custom
RequestProcessor). It seems like JAAS is still at an immature stage
perhaps, or at least the state of documenation about it is.
The other route it seems you could go is to use a container-managed
login as you suggest, and enjoy using the methods such as
request.isUserInRole instead of invoking security methods on a
hand-rolled component, but I think you will have to give up the
JBoss/Tomcat stack to do this for now (someone please correct me if I am
wrong), because I think there is a security integration problem there,
as I described earlier. I'm guessing Tomcat as stand alone might be a
good way to go though. I have not done this and couldn't say whether it
is "common and usual".
I have tried to write my role-checking methods so that in the future if
I port an application to JAAS I can just refactor them to invoke the
standard methods instead of my own. But like I say, I'm far from an
expert in this area.
Hope that helps,
Erik
Leandro Melo wrote:
>So Erik, is it a common and usual aproach to do login
>outside of Struts (ordinary jsps), and then use Struts
>afterwards???
>
>
> --- Erik Weber <er...@mindspring.com> escreveu:
>
>
>>Leandro, search the archives of this List for
>>"JAAS". I participated in
>>a thread about this within the last two months.
>>
>>I'm not sure if I understand exactly what you want
>>to do, but if you
>>want to use container-managed security, I don't know
>>of a way to have
>>your login screen be part of Struts. As far as I
>>know, you have to let
>>the container process the request that results from
>>the login screen's
>>form submittal (I tried having an Action intercept
>>this request and then
>>attempt to login with the JBoss JAAS module manually
>>but gave up when I
>>realized problem # 2 -- below).
>>
>>Another problem you are probably going to run into
>>is that the JBoss
>>security context is not propagated to Tomcat, and
>>vice versa, as far as
>>I know. So if you authenticate using JBoss JAAS,
>>Tomcat won't know about
>>it, and the methods such as request.isUserInRole
>>aren't going to do you
>>any good (although you would presumably be able to
>>use the similar
>>methods on EJBs, because they are running within the
>>JBoss security
>>context).
>>
>>I found JAAS to be a nightmare, though a couple
>>people gave me possible
>>solutions to the problems I mentioned in the thread
>>(one would be
>>intercepting the login screen request and then
>>manually logging in with
>>both JBoss JAAS as well as Tomcat JAAS modules --
>>but I don't know if
>>this has been done). I presume it's a much easier
>>endeavor if you are
>>just using Tomcat stand alone, but I'll let Craig
>>address that if he
>>wants, because I've never tried it.
>>
>>Erik
>>
>>
>>Leandro Melo wrote:
>>
>>
>>
>>>Or i just extend the DatabaseServerLoginModule
>>>
>>>
>>class
>>
>>
>>>and leave an empty class????
>>>
>>>
>>>
>>>--- Leandro Melo <lt...@yahoo.com.br>
>>>escreveu:
>>>
>>>
>>>
>>>
>>>>Just complementing my question...
>>>>
>>>>Would it be fair if i copy JBoss'
>>>>DatabaseServerLoginModule code and place it inside
>>>>an
>>>>Action???
>>>>
>>>>This way, i'll have an Action (for example,
>>>>MyLoginAction) that does exactly what
>>>>DatabaseServerLoginModule does.
>>>>
>>>>
>>>>
>>>>--- Leandro Melo <lt...@yahoo.com.br>
>>>>escreveu:
>>>>
>>>>
>>>>
>>>>
>>>>>Please help me out here!
>>>>>I'm very new with jaas, so i need some help.
>>>>>
>>>>>I got a simple login that is working fine for me,
>>>>>here
>>>>>it is:
>>>>>
>>>>>...
>>>>><FORM action='<%=
>>>>>response.encodeURL("j_security_check")%>'
>>>>> method="get">
>>>>> <!-- esses nomes tem q ser assim ->
>>>>>j_username
>>>>>-->
>>>>> NOME:<INPUT type="text" name="j_username"
>>>>>
>>>>>
>>>>>
>>>>>
>>>>/>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> <!-- tem q ser j_password -->
>>>>> SENHA: <INPUT type="password"
>>>>>name="j_password"
>>>>>/>
>>>>> <INPUT type="submit" value="Login" />
>>>>></FORM>
>>>>>...
>>>>>
>>>>>I'm using JBoss' default stuff (LoginModule,
>>>>>CallbackHandler, etc...) to make it works. Here's
>>>>>
>>>>>
>>>>>
>>>>>
>>>>a
>>>>
>>>>
>>>>
>>>>
>>>>>piece of my configuration file (for jboss).
>>>>>
>>>>>...
>>>>>example2
>>>>>{
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>org.jboss.security.auth.spi.DatabaseServerLoginModule
>>
>>
>>>
>>>
>>>
>>>
>>>>>required
>>>>>dsJndiName="java:/DefaultDS"
>>>>>principalsQuery="Select Password from Principals
>>>>>where
>>>>>PrincipalID =?"
>>>>>rolesQuery="Select Role 'Roles', RoleGroup
>>>>>'RoleGroups' from Roles where PrincipalID =?"
>>>>>;
>>>>>};
>>>>>...
>>>>>
>>>>>
>>>>>As i said, this works fine for me. I only made
>>>>>configuration and login.jsp, after the user
>>>>>
>>>>>
>>>>>
>>>>>
>>>>submits
>>>>
>>>>
>>>>
>>>>
>>>>>data from login.jsp, JBoss takes care of the
>>>>>
>>>>>
>>whole
>>
>>
>>>>>thing and already directs the user to index.jsp
>>>>>
>>>>>
>>>>>
>>>>>
>>>>(in
>>>>
>>>>
>>>>
>>>>
>>>>>case of sucessful login).
>>>>>
>>>>>NOW, i want to do the exact same thing with
>>>>>
>>>>>
>>Struts
>>
>>
>>>>>(my
>>>>>enviroment is all setup, the only thing i didn't
>>>>>have
>>>>>was the login module, i already have everything
>>>>>
>>>>>
>>>>>
>>>>>
>>>>set
>>>>
>>>>
>>>>
>>>>
>>>>>and working with Tiles).
>>>>>
>>>>>The problem is that i don't know what to do,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>because
>>>>
>>>>
>>>>
>>>>
>>>>>i'll probably have to write a Servlet that
>>>>>
>>>>>
>>handles
>>
>>
>>>>>this request won't i???
>>>>>
>>>>>Here's in my web.xml
>>>>> <security-constraint>
>>>>> <web-resource-collection>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>><web-resource-name>Restricted</web-resource-name>
>>>>
>>>>
>>>>
>>>>
>>>>> <description>Declarative security
>>>>>tests</description>
>>>>> <url-pattern>/jaas_tests/*</url-pattern>
>>>>> <http-method>HEAD</http-method>
>>>>> <http-method>GET</http-method>
>>>>> <http-method>POST</http-method>
>>>>> <http-method>PUT</http-method>
>>>>> <http-method>DELETE</http-method>
>>>>> </web-resource-collection>
>>>>>
>>>>> <auth-constraint>
>>>>> <role-name>Echo</role-name>
>>>>> <!--<role-name>Java</role-name>-->
>>>>> </auth-constraint>
>>>>> <user-data-constraint>
>>>>>
>>>>>
>=== message truncated ===
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Security - From tradition to struts
Posted by Leandro Melo <lt...@yahoo.com.br>.
So Erik, is it a common and usual aproach to do login
outside of Struts (ordinary jsps), and then use Struts
afterwards???
--- Erik Weber <er...@mindspring.com> escreveu:
> Leandro, search the archives of this List for
> "JAAS". I participated in
> a thread about this within the last two months.
>
> I'm not sure if I understand exactly what you want
> to do, but if you
> want to use container-managed security, I don't know
> of a way to have
> your login screen be part of Struts. As far as I
> know, you have to let
> the container process the request that results from
> the login screen's
> form submittal (I tried having an Action intercept
> this request and then
> attempt to login with the JBoss JAAS module manually
> but gave up when I
> realized problem # 2 -- below).
>
> Another problem you are probably going to run into
> is that the JBoss
> security context is not propagated to Tomcat, and
> vice versa, as far as
> I know. So if you authenticate using JBoss JAAS,
> Tomcat won't know about
> it, and the methods such as request.isUserInRole
> aren't going to do you
> any good (although you would presumably be able to
> use the similar
> methods on EJBs, because they are running within the
> JBoss security
> context).
>
> I found JAAS to be a nightmare, though a couple
> people gave me possible
> solutions to the problems I mentioned in the thread
> (one would be
> intercepting the login screen request and then
> manually logging in with
> both JBoss JAAS as well as Tomcat JAAS modules --
> but I don't know if
> this has been done). I presume it's a much easier
> endeavor if you are
> just using Tomcat stand alone, but I'll let Craig
> address that if he
> wants, because I've never tried it.
>
> Erik
>
>
> Leandro Melo wrote:
>
> >Or i just extend the DatabaseServerLoginModule
> class
> >and leave an empty class????
> >
> >
> >
> > --- Leandro Melo <lt...@yahoo.com.br>
> >escreveu:
> >
> >
> >>Just complementing my question...
> >>
> >>Would it be fair if i copy JBoss'
> >>DatabaseServerLoginModule code and place it inside
> >>an
> >>Action???
> >>
> >>This way, i'll have an Action (for example,
> >>MyLoginAction) that does exactly what
> >>DatabaseServerLoginModule does.
> >>
> >>
> >>
> >> --- Leandro Melo <lt...@yahoo.com.br>
> >>escreveu:
> >>
> >>
> >>>Please help me out here!
> >>>I'm very new with jaas, so i need some help.
> >>>
> >>>I got a simple login that is working fine for me,
> >>>here
> >>>it is:
> >>>
> >>>...
> >>><FORM action='<%=
> >>>response.encodeURL("j_security_check")%>'
> >>> method="get">
> >>> <!-- esses nomes tem q ser assim ->
> >>>j_username
> >>>-->
> >>> NOME:<INPUT type="text" name="j_username"
> >>>
> >>>
> >>/>
> >>
> >>
> >>>
> >>> <!-- tem q ser j_password -->
> >>> SENHA: <INPUT type="password"
> >>>name="j_password"
> >>>/>
> >>> <INPUT type="submit" value="Login" />
> >>></FORM>
> >>>...
> >>>
> >>>I'm using JBoss' default stuff (LoginModule,
> >>>CallbackHandler, etc...) to make it works. Here's
> >>>
> >>>
> >>a
> >>
> >>
> >>>piece of my configuration file (for jboss).
> >>>
> >>>...
> >>>example2
> >>>{
> >>>
> >>>
> >>>
>
>org.jboss.security.auth.spi.DatabaseServerLoginModule
> >
> >
> >>>required
> >>>dsJndiName="java:/DefaultDS"
> >>>principalsQuery="Select Password from Principals
> >>>where
> >>>PrincipalID =?"
> >>>rolesQuery="Select Role 'Roles', RoleGroup
> >>>'RoleGroups' from Roles where PrincipalID =?"
> >>>;
> >>>};
> >>>...
> >>>
> >>>
> >>>As i said, this works fine for me. I only made
> >>>configuration and login.jsp, after the user
> >>>
> >>>
> >>submits
> >>
> >>
> >>>data from login.jsp, JBoss takes care of the
> whole
> >>>thing and already directs the user to index.jsp
> >>>
> >>>
> >>(in
> >>
> >>
> >>>case of sucessful login).
> >>>
> >>>NOW, i want to do the exact same thing with
> Struts
> >>>(my
> >>>enviroment is all setup, the only thing i didn't
> >>>have
> >>>was the login module, i already have everything
> >>>
> >>>
> >>set
> >>
> >>
> >>>and working with Tiles).
> >>>
> >>>The problem is that i don't know what to do,
> >>>
> >>>
> >>because
> >>
> >>
> >>>i'll probably have to write a Servlet that
> handles
> >>>this request won't i???
> >>>
> >>>Here's in my web.xml
> >>> <security-constraint>
> >>> <web-resource-collection>
> >>>
> >>>
> >>>
> >><web-resource-name>Restricted</web-resource-name>
> >>
> >>
> >>> <description>Declarative security
> >>>tests</description>
> >>> <url-pattern>/jaas_tests/*</url-pattern>
> >>> <http-method>HEAD</http-method>
> >>> <http-method>GET</http-method>
> >>> <http-method>POST</http-method>
> >>> <http-method>PUT</http-method>
> >>> <http-method>DELETE</http-method>
> >>> </web-resource-collection>
> >>>
> >>> <auth-constraint>
> >>> <role-name>Echo</role-name>
> >>> <!--<role-name>Java</role-name>-->
> >>> </auth-constraint>
> >>> <user-data-constraint>
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Security - From tradition to struts
Posted by Erik Weber <er...@mindspring.com>.
Leandro, search the archives of this List for "JAAS". I participated in
a thread about this within the last two months.
I'm not sure if I understand exactly what you want to do, but if you
want to use container-managed security, I don't know of a way to have
your login screen be part of Struts. As far as I know, you have to let
the container process the request that results from the login screen's
form submittal (I tried having an Action intercept this request and then
attempt to login with the JBoss JAAS module manually but gave up when I
realized problem # 2 -- below).
Another problem you are probably going to run into is that the JBoss
security context is not propagated to Tomcat, and vice versa, as far as
I know. So if you authenticate using JBoss JAAS, Tomcat won't know about
it, and the methods such as request.isUserInRole aren't going to do you
any good (although you would presumably be able to use the similar
methods on EJBs, because they are running within the JBoss security
context).
I found JAAS to be a nightmare, though a couple people gave me possible
solutions to the problems I mentioned in the thread (one would be
intercepting the login screen request and then manually logging in with
both JBoss JAAS as well as Tomcat JAAS modules -- but I don't know if
this has been done). I presume it's a much easier endeavor if you are
just using Tomcat stand alone, but I'll let Craig address that if he
wants, because I've never tried it.
Erik
Leandro Melo wrote:
>Or i just extend the DatabaseServerLoginModule class
>and leave an empty class????
>
>
>
> --- Leandro Melo <lt...@yahoo.com.br>
>escreveu:
>
>
>>Just complementing my question...
>>
>>Would it be fair if i copy JBoss'
>>DatabaseServerLoginModule code and place it inside
>>an
>>Action???
>>
>>This way, i'll have an Action (for example,
>>MyLoginAction) that does exactly what
>>DatabaseServerLoginModule does.
>>
>>
>>
>> --- Leandro Melo <lt...@yahoo.com.br>
>>escreveu:
>>
>>
>>>Please help me out here!
>>>I'm very new with jaas, so i need some help.
>>>
>>>I got a simple login that is working fine for me,
>>>here
>>>it is:
>>>
>>>...
>>><FORM action='<%=
>>>response.encodeURL("j_security_check")%>'
>>> method="get">
>>> <!-- esses nomes tem q ser assim ->
>>>j_username
>>>-->
>>> NOME:<INPUT type="text" name="j_username"
>>>
>>>
>>/>
>>
>>
>>>
>>> <!-- tem q ser j_password -->
>>> SENHA: <INPUT type="password"
>>>name="j_password"
>>>/>
>>> <INPUT type="submit" value="Login" />
>>></FORM>
>>>...
>>>
>>>I'm using JBoss' default stuff (LoginModule,
>>>CallbackHandler, etc...) to make it works. Here's
>>>
>>>
>>a
>>
>>
>>>piece of my configuration file (for jboss).
>>>
>>>...
>>>example2
>>>{
>>>
>>>
>>>
>org.jboss.security.auth.spi.DatabaseServerLoginModule
>
>
>>>required
>>>dsJndiName="java:/DefaultDS"
>>>principalsQuery="Select Password from Principals
>>>where
>>>PrincipalID =?"
>>>rolesQuery="Select Role 'Roles', RoleGroup
>>>'RoleGroups' from Roles where PrincipalID =?"
>>>;
>>>};
>>>...
>>>
>>>
>>>As i said, this works fine for me. I only made
>>>configuration and login.jsp, after the user
>>>
>>>
>>submits
>>
>>
>>>data from login.jsp, JBoss takes care of the whole
>>>thing and already directs the user to index.jsp
>>>
>>>
>>(in
>>
>>
>>>case of sucessful login).
>>>
>>>NOW, i want to do the exact same thing with Struts
>>>(my
>>>enviroment is all setup, the only thing i didn't
>>>have
>>>was the login module, i already have everything
>>>
>>>
>>set
>>
>>
>>>and working with Tiles).
>>>
>>>The problem is that i don't know what to do,
>>>
>>>
>>because
>>
>>
>>>i'll probably have to write a Servlet that handles
>>>this request won't i???
>>>
>>>Here's in my web.xml
>>> <security-constraint>
>>> <web-resource-collection>
>>>
>>>
>>>
>><web-resource-name>Restricted</web-resource-name>
>>
>>
>>> <description>Declarative security
>>>tests</description>
>>> <url-pattern>/jaas_tests/*</url-pattern>
>>> <http-method>HEAD</http-method>
>>> <http-method>GET</http-method>
>>> <http-method>POST</http-method>
>>> <http-method>PUT</http-method>
>>> <http-method>DELETE</http-method>
>>> </web-resource-collection>
>>>
>>> <auth-constraint>
>>> <role-name>Echo</role-name>
>>> <!--<role-name>Java</role-name>-->
>>> </auth-constraint>
>>> <user-data-constraint>
>>> <description>no description</description>
>>> <transport-guarantee>NONE</transport-guarantee>
>>> </user-data-constraint>
>>> </security-constraint>
>>> <login-config>
>>> <auth-method>FORM</auth-method>
>>> <form-login-config>
>>>
>>>
>>>
>>>
><form-login-page>/jaas_tests/login.jsp</form-login-page>
>
>
>>>
>>>
>>>
>>>
><form-error-page>/jaas_tests/error.jsp</form-error-page>
>
>
>>> </form-login-config>
>>> </login-config>
>>>
>>>
>>>I can start by changing the login page from
>>>login.jsp
>>>to login.do, mapping this Action, then what... ???
>>>
>>>Thanks,
>>>Leandro
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>_______________________________________________________
>
>
>>>Yahoo! Acesso Grátis - navegue de graça com
>>>
>>>
>>conexão
>>
>>
>>>de qualidade!
>>>http://br.acesso.yahoo.com/
>>>
>>>
>>>
>>>
>---------------------------------------------------------------------
>
>
>>>To unsubscribe, e-mail:
>>>user-unsubscribe@struts.apache.org
>>>For additional commands, e-mail:
>>>user-help@struts.apache.org
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>_______________________________________________________
>
>
>>Yahoo! Acesso Grátis - navegue de graça com conexão
>>de qualidade!
>>http://br.acesso.yahoo.com/
>>
>>
>>
>>
>---------------------------------------------------------------------
>
>
>>To unsubscribe, e-mail:
>>user-unsubscribe@struts.apache.org
>>For additional commands, e-mail:
>>user-help@struts.apache.org
>>
>>
>>
>>
>
>
>
>
>
>_______________________________________________________
>Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
>http://br.acesso.yahoo.com/
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Security - From tradition to struts
Posted by Leandro Melo <lt...@yahoo.com.br>.
Or i just extend the DatabaseServerLoginModule class
and leave an empty class????
--- Leandro Melo <lt...@yahoo.com.br>
escreveu:
> Just complementing my question...
>
> Would it be fair if i copy JBoss'
> DatabaseServerLoginModule code and place it inside
> an
> Action???
>
> This way, i'll have an Action (for example,
> MyLoginAction) that does exactly what
> DatabaseServerLoginModule does.
>
>
>
> --- Leandro Melo <lt...@yahoo.com.br>
> escreveu:
> > Please help me out here!
> > I'm very new with jaas, so i need some help.
> >
> > I got a simple login that is working fine for me,
> > here
> > it is:
> >
> > ...
> > <FORM action='<%=
> > response.encodeURL("j_security_check")%>'
> > method="get">
> > <!-- esses nomes tem q ser assim ->
> > j_username
> > -->
> > NOME:<INPUT type="text" name="j_username"
> />
> >
> > <!-- tem q ser j_password -->
> > SENHA: <INPUT type="password"
> > name="j_password"
> > />
> > <INPUT type="submit" value="Login" />
> > </FORM>
> > ...
> >
> > I'm using JBoss' default stuff (LoginModule,
> > CallbackHandler, etc...) to make it works. Here's
> a
> > piece of my configuration file (for jboss).
> >
> > ...
> > example2
> > {
> >
>
org.jboss.security.auth.spi.DatabaseServerLoginModule
> > required
> > dsJndiName="java:/DefaultDS"
> > principalsQuery="Select Password from Principals
> > where
> > PrincipalID =?"
> > rolesQuery="Select Role 'Roles', RoleGroup
> > 'RoleGroups' from Roles where PrincipalID =?"
> > ;
> > };
> > ...
> >
> >
> > As i said, this works fine for me. I only made
> > configuration and login.jsp, after the user
> submits
> > data from login.jsp, JBoss takes care of the whole
> > thing and already directs the user to index.jsp
> (in
> > case of sucessful login).
> >
> > NOW, i want to do the exact same thing with Struts
> > (my
> > enviroment is all setup, the only thing i didn't
> > have
> > was the login module, i already have everything
> set
> > and working with Tiles).
> >
> > The problem is that i don't know what to do,
> because
> > i'll probably have to write a Servlet that handles
> > this request won't i???
> >
> > Here's in my web.xml
> > <security-constraint>
> > <web-resource-collection>
> >
> <web-resource-name>Restricted</web-resource-name>
> > <description>Declarative security
> > tests</description>
> > <url-pattern>/jaas_tests/*</url-pattern>
> > <http-method>HEAD</http-method>
> > <http-method>GET</http-method>
> > <http-method>POST</http-method>
> > <http-method>PUT</http-method>
> > <http-method>DELETE</http-method>
> > </web-resource-collection>
> >
> > <auth-constraint>
> > <role-name>Echo</role-name>
> > <!--<role-name>Java</role-name>-->
> > </auth-constraint>
> > <user-data-constraint>
> > <description>no description</description>
> > <transport-guarantee>NONE</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <form-login-config>
> >
> >
>
<form-login-page>/jaas_tests/login.jsp</form-login-page>
> >
> >
> >
>
<form-error-page>/jaas_tests/error.jsp</form-error-page>
> > </form-login-config>
> > </login-config>
> >
> >
> > I can start by changing the login page from
> > login.jsp
> > to login.do, mapping this Action, then what... ???
> >
> > Thanks,
> > Leandro
> >
> >
> >
> >
> >
> >
> >
> >
>
_______________________________________________________
> > Yahoo! Acesso Grátis - navegue de graça com
> conexão
> > de qualidade!
> > http://br.acesso.yahoo.com/
> >
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > user-unsubscribe@struts.apache.org
> > For additional commands, e-mail:
> > user-help@struts.apache.org
> >
> >
>
>
>
>
>
>
_______________________________________________________
> Yahoo! Acesso Grátis - navegue de graça com conexão
> de qualidade!
> http://br.acesso.yahoo.com/
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> user-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> user-help@struts.apache.org
>
>
_______________________________________________________
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
http://br.acesso.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Security - From tradition to struts
Posted by Leandro Melo <lt...@yahoo.com.br>.
Just complementing my question...
Would it be fair if i copy JBoss'
DatabaseServerLoginModule code and place it inside an
Action???
This way, i'll have an Action (for example,
MyLoginAction) that does exactly what
DatabaseServerLoginModule does.
--- Leandro Melo <lt...@yahoo.com.br>
escreveu:
> Please help me out here!
> I'm very new with jaas, so i need some help.
>
> I got a simple login that is working fine for me,
> here
> it is:
>
> ...
> <FORM action='<%=
> response.encodeURL("j_security_check")%>'
> method="get">
> <!-- esses nomes tem q ser assim ->
> j_username
> -->
> NOME:<INPUT type="text" name="j_username" />
>
> <!-- tem q ser j_password -->
> SENHA: <INPUT type="password"
> name="j_password"
> />
> <INPUT type="submit" value="Login" />
> </FORM>
> ...
>
> I'm using JBoss' default stuff (LoginModule,
> CallbackHandler, etc...) to make it works. Here's a
> piece of my configuration file (for jboss).
>
> ...
> example2
> {
>
org.jboss.security.auth.spi.DatabaseServerLoginModule
> required
> dsJndiName="java:/DefaultDS"
> principalsQuery="Select Password from Principals
> where
> PrincipalID =?"
> rolesQuery="Select Role 'Roles', RoleGroup
> 'RoleGroups' from Roles where PrincipalID =?"
> ;
> };
> ...
>
>
> As i said, this works fine for me. I only made
> configuration and login.jsp, after the user submits
> data from login.jsp, JBoss takes care of the whole
> thing and already directs the user to index.jsp (in
> case of sucessful login).
>
> NOW, i want to do the exact same thing with Struts
> (my
> enviroment is all setup, the only thing i didn't
> have
> was the login module, i already have everything set
> and working with Tiles).
>
> The problem is that i don't know what to do, because
> i'll probably have to write a Servlet that handles
> this request won't i???
>
> Here's in my web.xml
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Restricted</web-resource-name>
> <description>Declarative security
> tests</description>
> <url-pattern>/jaas_tests/*</url-pattern>
> <http-method>HEAD</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
>
> <auth-constraint>
> <role-name>Echo</role-name>
> <!--<role-name>Java</role-name>-->
> </auth-constraint>
> <user-data-constraint>
> <description>no description</description>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
>
>
<form-login-page>/jaas_tests/login.jsp</form-login-page>
>
>
>
<form-error-page>/jaas_tests/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
>
> I can start by changing the login page from
> login.jsp
> to login.do, mapping this Action, then what... ???
>
> Thanks,
> Leandro
>
>
>
>
>
>
>
>
_______________________________________________________
> Yahoo! Acesso Grátis - navegue de graça com conexão
> de qualidade!
> http://br.acesso.yahoo.com/
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> user-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> user-help@struts.apache.org
>
>
_______________________________________________________
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
http://br.acesso.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org