You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by wild_oscar <mi...@almeida.at> on 2007/06/29 16:12:48 UTC

JAAS authorization with Struts

I am trying to develop my first web application.

For authentication and authorization, I choose JAAS and followed this guide

http://www.mooreds.com/jaas.html http://www.mooreds.com/jaas.html 

I am also using Struts as my MVC. I am having trouble implementing
authorization, though. As far as I've learned, the application can have
programmatic or declarative authorization.

In struts, a way of programming dynamic authorization is the use of the
<logic:present role="xxx"> tag. I was trying to test this. Unfortunately, it
seems that struts can't seem to "know" my subject and principals (saved in a
session attribute), so whatever the role I try (or user="userxx"), the tag
is not displayed.

Can anyone send me in the right direction regarding this? Where does struts
look for the users and roles? How can I integrate JAAS with this MVC?
	
 
-- 
View this message in context: http://www.nabble.com/JAAS-authorization-with-Struts-tf4000073.html#a11360901
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: JAAS authorization with Struts

Posted by wild_oscar <mi...@almeida.at>.

Oh, nice, I'll try to implement this then. I have read a lot about
authorization and authentication and am trying to decide the best
alternative for my struts based application (which can hopefully become my
standard in web app development). 

Thank you for the tip, I'll report to say how it is going.
Because I'm still rather new in the development process, what is the best
strategy for the filter implementation? Should I create a filter
specifically for this task or is there a "rule of thumb" in the creation of
filters so that they can be grouped together depending on some criterion
(life cycle phase when they're called, for example)?

Chris Pratt wrote:
> 
> Exactly.
>   (*Chris*)
> 
> On 6/29/07, wild_oscar <mi...@almeida.at> wrote:
>>
>>
>> Do you mean implementing a HttpServletRequestWrapper and overriding its
>> isUserInRole so that it finds the user and its roles in the httpsession
>> (where I stored the Principals)?
>>
>>
>>
>> Chris Pratt wrote:
>> >
>> > It uses the HttpServletRequest.isUserInRole() method.  One way to
>> populate
>> > this is with a Filter that wraps the request with an
>> > HttpServletRequestWrapper.
>> >   (*Chris*)
>> >
>> > On 6/29/07, wild_oscar <mi...@almeida.at> wrote:
>> >>
>> >>
> 
> 

-- 
View this message in context: http://www.nabble.com/JAAS-authorization-with-Struts-tf4000073.html#a11390663
Sent from the Struts - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: JAAS authorization with Struts

Posted by Chris Pratt <th...@gmail.com>.

Exactly.
  (*Chris*)

On 6/29/07, wild_oscar <mi...@almeida.at> wrote:
>
>
> Do you mean implementing a HttpServletRequestWrapper and overriding its
> isUserInRole so that it finds the user and its roles in the httpsession
> (where I stored the Principals)?
>
>
>
> Chris Pratt wrote:
> >
> > It uses the HttpServletRequest.isUserInRole() method.  One way to
> populate
> > this is with a Filter that wraps the request with an
> > HttpServletRequestWrapper.
> >   (*Chris*)
> >
> > On 6/29/07, wild_oscar <mi...@almeida.at> wrote:
> >>
> >>
> >> I am trying to develop my first web application.
> >>
> >> For authentication and authorization, I choose JAAS and followed this
> >> guide
> >>
> >> http://www.mooreds.com/jaas.html http://www.mooreds.com/jaas.html
> >>
> >> I am also using Struts as my MVC. I am having trouble implementing
> >> authorization, though. As far as I've learned, the application can have
> >> programmatic or declarative authorization.
> >>
> >> In struts, a way of programming dynamic authorization is the use of the
> >> <logic:present role="xxx"> tag. I was trying to test this.
> Unfortunately,
> >> it
> >> seems that struts can't seem to "know" my subject and principals (saved
> >> in
> >> a
> >> session attribute), so whatever the role I try (or user="userxx"), the
> >> tag
> >> is not displayed.
> >>
> >> Can anyone send me in the right direction regarding this? Where does
> >> struts
> >> look for the users and roles? How can I integrate JAAS with this MVC?
> >>
> >>
> >> --
> >> View this message in context:
> >>
> http://www.nabble.com/JAAS-authorization-with-Struts-tf4000073.html#a11360901
> >> Sent from the Struts - User mailing list archive at Nabble.com.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: user-help@struts.apache.org
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/JAAS-authorization-with-Struts-tf4000073.html#a11364913
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Re: JAAS authorization with Struts

Posted by wild_oscar <mi...@almeida.at>.

Do you mean implementing a HttpServletRequestWrapper and overriding its
isUserInRole so that it finds the user and its roles in the httpsession
(where I stored the Principals)?



Chris Pratt wrote:
> 
> It uses the HttpServletRequest.isUserInRole() method.  One way to populate
> this is with a Filter that wraps the request with an
> HttpServletRequestWrapper.
>   (*Chris*)
> 
> On 6/29/07, wild_oscar <mi...@almeida.at> wrote:
>>
>>
>> I am trying to develop my first web application.
>>
>> For authentication and authorization, I choose JAAS and followed this
>> guide
>>
>> http://www.mooreds.com/jaas.html http://www.mooreds.com/jaas.html
>>
>> I am also using Struts as my MVC. I am having trouble implementing
>> authorization, though. As far as I've learned, the application can have
>> programmatic or declarative authorization.
>>
>> In struts, a way of programming dynamic authorization is the use of the
>> <logic:present role="xxx"> tag. I was trying to test this. Unfortunately,
>> it
>> seems that struts can't seem to "know" my subject and principals (saved
>> in
>> a
>> session attribute), so whatever the role I try (or user="userxx"), the
>> tag
>> is not displayed.
>>
>> Can anyone send me in the right direction regarding this? Where does
>> struts
>> look for the users and roles? How can I integrate JAAS with this MVC?
>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/JAAS-authorization-with-Struts-tf4000073.html#a11360901
>> Sent from the Struts - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/JAAS-authorization-with-Struts-tf4000073.html#a11364913
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: JAAS authorization with Struts

Posted by Chris Pratt <th...@gmail.com>.

It uses the HttpServletRequest.isUserInRole() method.  One way to populate
this is with a Filter that wraps the request with an
HttpServletRequestWrapper.
  (*Chris*)

On 6/29/07, wild_oscar <mi...@almeida.at> wrote:
>
>
> I am trying to develop my first web application.
>
> For authentication and authorization, I choose JAAS and followed this
> guide
>
> http://www.mooreds.com/jaas.html http://www.mooreds.com/jaas.html
>
> I am also using Struts as my MVC. I am having trouble implementing
> authorization, though. As far as I've learned, the application can have
> programmatic or declarative authorization.
>
> In struts, a way of programming dynamic authorization is the use of the
> <logic:present role="xxx"> tag. I was trying to test this. Unfortunately,
> it
> seems that struts can't seem to "know" my subject and principals (saved in
> a
> session attribute), so whatever the role I try (or user="userxx"), the tag
> is not displayed.
>
> Can anyone send me in the right direction regarding this? Where does
> struts
> look for the users and roles? How can I integrate JAAS with this MVC?
>
>
> --
> View this message in context:
> http://www.nabble.com/JAAS-authorization-with-Struts-tf4000073.html#a11360901
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>