You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Roberto Nunnari <ro...@supsi.ch> on 2007/08/20 19:12:00 UTC
Authentication and Authorization in S2
Hi all.
I need to implement Authentication and Authorization in
a S2 web application, and before reinventing the wheel, I'd
like to ask the list for hints and advice.
1) Is there built-in support in Struts2 for Authentication and
Authorization?
2) What are the best practices for AA in S2?
3) Is JAAS be a practical way in S2?
More details:
- The application lets the users dynamically register as members
- In the application, the members can be part of one of two or three
groups (roles)
- unauthenticated users can only view some global data
- authenticated users can change some of their own data
- authenticated users can view some of other members data
- the authenticated users can add global content
- authenticated users in more privileged roles can change some global data
- authenticated users in the admin role, can do anything
Thank you.
--
Robi
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Authentication and Authorization in S2
Posted by Arnaud Cogoluegnes <ac...@sqli.com>.
Just meant that I don't use other APIs/framework (JAAS, Acegi...) than what
Struts 2 architecture offers. Of course I had to develop my own
interceptors, but that's pretty straightforward.
-----Message d'origine-----
De : Alvaro Sanchez-Mariscal [mailto:alvaro.sanchezmariscal@gmail.com]
Envoyé : jeudi 23 août 2007 18:22
À : Struts Users Mailing List
Objet : Re: Authentication and Authorization in S2
What do you mean with "100% Struts 2 security"? As far I know, S2 does
not have anything out-of-the-box regarding security.
In my case, I had to manually develop a login action and an
authentication interceptor.
Alvaro.
On 8/23/07, Arnaud Cogoluegnes <ac...@sqli.com> wrote:
> I'm using 100% Struts 2 security:
> - centralized store (simple Java class/XML config file) which maps roles
> and actions
> - interceptor if some user directly types the URL (based on the store)
> - custom tag for showing/hiding links (based on the store)
>
> This protects only *actions* and not data (i.e. which roles can see which
> rows in the database).
>
>
> -----Message d'origine-----
> De: wild_oscar [mailto:miguel@almeida.at]
> Envoyé: jeudi 23 août 2007 16:15
> À: user@struts.apache.org
> Objet: Re: Authentication and Authorization in S2
>
>
> How about AA with Struts2 only?
>
> I'm trying to understand Authorization with JAAS, but I'm not being very
> successeful. Authentication is taken care of, I use JAAS and a PostgreSQL
> database to store users, passwords and roles.
>
> In the end of authentication, I store the subject in the HttpSession:
>
> HttpSession session = httprequest.getSession();
> session.setAttribute("subject_key", lc.getSubject());
>
> Bare in mind I first tried this in Struts; this week I switched to
Struts2.
> Can anyone shed some light on the authorization part of the process with
> Struts2? Namely:
>
> a) Does one ever need to configure web.xml with security details and
roles,
> for declarative security based on wildcards?
>
> or
> b) Is security only achieved at the action level?
>
> c) How does one build JSP pages that have parts protected (say, a
> form/button only available to certain roles)?
>
> Thank you for your help!
>
> Miguel, lost in Authorization
>
>
>
> Alvaro Sanchez-Mariscal wrote:
> >
> > I agree. You should first try Acegi.
> >
> > If your auth needs are very specific, you can always develop a custom
> > interceptor.
> >
> > Alvaro.
> >
> > On 8/20/07, Zarar Siddiqi <za...@gmail.com> wrote:
> >> If you're using Spring, it's probably a great idea to use Acegi
> >> Security to handle authentication/authorization. I can't think of
> >> anything it can't do.
> >>
> >> http://www.acegisecurity.org/
> >>
> >> There's also Berkano which doesn't do nearly as much as Acegi but can
> >> handle most general AA problems:
> >>
> >> http://berkano.codehaus.org/
> >>
> >> Zarar
> >>
> >>
> >> On 8/20/07, Roberto Nunnari <ro...@supsi.ch> wrote:
> >> > Hi all.
> >> >
> >> > I need to implement Authentication and Authorization in
> >> > a S2 web application, and before reinventing the wheel, I'd
> >> > like to ask the list for hints and advice.
> >> >
> >> > 1) Is there built-in support in Struts2 for Authentication and
> >> > Authorization?
> >> >
> >> > 2) What are the best practices for AA in S2?
> >> >
> >> > 3) Is JAAS be a practical way in S2?
> >> >
> >> > More details:
> >> > - The application lets the users dynamically register as members
> >> > - In the application, the members can be part of one of two or three
> >> > groups (roles)
> >> > - unauthenticated users can only view some global data
> >> > - authenticated users can change some of their own data
> >> > - authenticated users can view some of other members data
> >> > - the authenticated users can add global content
> >> > - authenticated users in more privileged roles can change some global
> >> data
> >> > - authenticated users in the admin role, can do anything
> >> >
> >> > Thank you.
> >> >
> >> > --
> >> > Robi
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> > For additional commands, e-mail: user-help@struts.apache.org
> >> >
> >> >
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: user-help@struts.apache.org
> >>
> >>
> >
> >
> > --
> > Alvaro Sanchez-Mariscal Arnaiz
> > Java EE Architect & Instructor
> > alvaro.sanchezmariscal@gmail.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
> >
>
> --
> View this message in context:
>
http://www.nabble.com/Authentication-and-Authorization-in-S2-tf4300234.html#
> a12294512
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
Alvaro Sanchez-Mariscal Arnaiz
Java EE Architect & Instructor
alvaro.sanchezmariscal@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Authentication and Authorization in S2
Posted by Alvaro Sanchez-Mariscal <al...@gmail.com>.
What do you mean with "100% Struts 2 security"? As far I know, S2 does
not have anything out-of-the-box regarding security.
In my case, I had to manually develop a login action and an
authentication interceptor.
Alvaro.
On 8/23/07, Arnaud Cogoluegnes <ac...@sqli.com> wrote:
> I'm using 100% Struts 2 security:
> - centralized store (simple Java class/XML config file) which maps roles
> and actions
> - interceptor if some user directly types the URL (based on the store)
> - custom tag for showing/hiding links (based on the store)
>
> This protects only *actions* and not data (i.e. which roles can see which
> rows in the database).
>
>
> -----Message d'origine-----
> De: wild_oscar [mailto:miguel@almeida.at]
> Envoyé: jeudi 23 août 2007 16:15
> À: user@struts.apache.org
> Objet: Re: Authentication and Authorization in S2
>
>
> How about AA with Struts2 only?
>
> I'm trying to understand Authorization with JAAS, but I'm not being very
> successeful. Authentication is taken care of, I use JAAS and a PostgreSQL
> database to store users, passwords and roles.
>
> In the end of authentication, I store the subject in the HttpSession:
>
> HttpSession session = httprequest.getSession();
> session.setAttribute("subject_key", lc.getSubject());
>
> Bare in mind I first tried this in Struts; this week I switched to Struts2.
> Can anyone shed some light on the authorization part of the process with
> Struts2? Namely:
>
> a) Does one ever need to configure web.xml with security details and roles,
> for declarative security based on wildcards?
>
> or
> b) Is security only achieved at the action level?
>
> c) How does one build JSP pages that have parts protected (say, a
> form/button only available to certain roles)?
>
> Thank you for your help!
>
> Miguel, lost in Authorization
>
>
>
> Alvaro Sanchez-Mariscal wrote:
> >
> > I agree. You should first try Acegi.
> >
> > If your auth needs are very specific, you can always develop a custom
> > interceptor.
> >
> > Alvaro.
> >
> > On 8/20/07, Zarar Siddiqi <za...@gmail.com> wrote:
> >> If you're using Spring, it's probably a great idea to use Acegi
> >> Security to handle authentication/authorization. I can't think of
> >> anything it can't do.
> >>
> >> http://www.acegisecurity.org/
> >>
> >> There's also Berkano which doesn't do nearly as much as Acegi but can
> >> handle most general AA problems:
> >>
> >> http://berkano.codehaus.org/
> >>
> >> Zarar
> >>
> >>
> >> On 8/20/07, Roberto Nunnari <ro...@supsi.ch> wrote:
> >> > Hi all.
> >> >
> >> > I need to implement Authentication and Authorization in
> >> > a S2 web application, and before reinventing the wheel, I'd
> >> > like to ask the list for hints and advice.
> >> >
> >> > 1) Is there built-in support in Struts2 for Authentication and
> >> > Authorization?
> >> >
> >> > 2) What are the best practices for AA in S2?
> >> >
> >> > 3) Is JAAS be a practical way in S2?
> >> >
> >> > More details:
> >> > - The application lets the users dynamically register as members
> >> > - In the application, the members can be part of one of two or three
> >> > groups (roles)
> >> > - unauthenticated users can only view some global data
> >> > - authenticated users can change some of their own data
> >> > - authenticated users can view some of other members data
> >> > - the authenticated users can add global content
> >> > - authenticated users in more privileged roles can change some global
> >> data
> >> > - authenticated users in the admin role, can do anything
> >> >
> >> > Thank you.
> >> >
> >> > --
> >> > Robi
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> > For additional commands, e-mail: user-help@struts.apache.org
> >> >
> >> >
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: user-help@struts.apache.org
> >>
> >>
> >
> >
> > --
> > Alvaro Sanchez-Mariscal Arnaiz
> > Java EE Architect & Instructor
> > alvaro.sanchezmariscal@gmail.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Authentication-and-Authorization-in-S2-tf4300234.html#
> a12294512
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
Alvaro Sanchez-Mariscal Arnaiz
Java EE Architect & Instructor
alvaro.sanchezmariscal@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Authentication and Authorization in S2
Posted by Arnaud Cogoluegnes <ac...@sqli.com>.
I'm using 100% Struts 2 security:
- centralized store (simple Java class/XML config file) which maps roles
and actions
- interceptor if some user directly types the URL (based on the store)
- custom tag for showing/hiding links (based on the store)
This protects only *actions* and not data (i.e. which roles can see which
rows in the database).
-----Message d'origine-----
De : wild_oscar [mailto:miguel@almeida.at]
Envoyé : jeudi 23 août 2007 16:15
À : user@struts.apache.org
Objet : Re: Authentication and Authorization in S2
How about AA with Struts2 only?
I'm trying to understand Authorization with JAAS, but I'm not being very
successeful. Authentication is taken care of, I use JAAS and a PostgreSQL
database to store users, passwords and roles.
In the end of authentication, I store the subject in the HttpSession:
HttpSession session = httprequest.getSession();
session.setAttribute("subject_key", lc.getSubject());
Bare in mind I first tried this in Struts; this week I switched to Struts2.
Can anyone shed some light on the authorization part of the process with
Struts2? Namely:
a) Does one ever need to configure web.xml with security details and roles,
for declarative security based on wildcards?
or
b) Is security only achieved at the action level?
c) How does one build JSP pages that have parts protected (say, a
form/button only available to certain roles)?
Thank you for your help!
Miguel, lost in Authorization
Alvaro Sanchez-Mariscal wrote:
>
> I agree. You should first try Acegi.
>
> If your auth needs are very specific, you can always develop a custom
> interceptor.
>
> Alvaro.
>
> On 8/20/07, Zarar Siddiqi <za...@gmail.com> wrote:
>> If you're using Spring, it's probably a great idea to use Acegi
>> Security to handle authentication/authorization. I can't think of
>> anything it can't do.
>>
>> http://www.acegisecurity.org/
>>
>> There's also Berkano which doesn't do nearly as much as Acegi but can
>> handle most general AA problems:
>>
>> http://berkano.codehaus.org/
>>
>> Zarar
>>
>>
>> On 8/20/07, Roberto Nunnari <ro...@supsi.ch> wrote:
>> > Hi all.
>> >
>> > I need to implement Authentication and Authorization in
>> > a S2 web application, and before reinventing the wheel, I'd
>> > like to ask the list for hints and advice.
>> >
>> > 1) Is there built-in support in Struts2 for Authentication and
>> > Authorization?
>> >
>> > 2) What are the best practices for AA in S2?
>> >
>> > 3) Is JAAS be a practical way in S2?
>> >
>> > More details:
>> > - The application lets the users dynamically register as members
>> > - In the application, the members can be part of one of two or three
>> > groups (roles)
>> > - unauthenticated users can only view some global data
>> > - authenticated users can change some of their own data
>> > - authenticated users can view some of other members data
>> > - the authenticated users can add global content
>> > - authenticated users in more privileged roles can change some global
>> data
>> > - authenticated users in the admin role, can do anything
>> >
>> > Thank you.
>> >
>> > --
>> > Robi
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> > For additional commands, e-mail: user-help@struts.apache.org
>> >
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>
>
> --
> Alvaro Sanchez-Mariscal Arnaiz
> Java EE Architect & Instructor
> alvaro.sanchezmariscal@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context:
http://www.nabble.com/Authentication-and-Authorization-in-S2-tf4300234.html#
a12294512
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Authentication and Authorization in S2
Posted by wild_oscar <mi...@almeida.at>.
How about AA with Struts2 only?
I'm trying to understand Authorization with JAAS, but I'm not being very
successeful. Authentication is taken care of, I use JAAS and a PostgreSQL
database to store users, passwords and roles.
In the end of authentication, I store the subject in the HttpSession:
HttpSession session = httprequest.getSession();
session.setAttribute("subject_key", lc.getSubject());
Bare in mind I first tried this in Struts; this week I switched to Struts2.
Can anyone shed some light on the authorization part of the process with
Struts2? Namely:
a) Does one ever need to configure web.xml with security details and roles,
for declarative security based on wildcards?
or
b) Is security only achieved at the action level?
c) How does one build JSP pages that have parts protected (say, a
form/button only available to certain roles)?
Thank you for your help!
Miguel, lost in Authorization
Alvaro Sanchez-Mariscal wrote:
>
> I agree. You should first try Acegi.
>
> If your auth needs are very specific, you can always develop a custom
> interceptor.
>
> Alvaro.
>
> On 8/20/07, Zarar Siddiqi <za...@gmail.com> wrote:
>> If you're using Spring, it's probably a great idea to use Acegi
>> Security to handle authentication/authorization. I can't think of
>> anything it can't do.
>>
>> http://www.acegisecurity.org/
>>
>> There's also Berkano which doesn't do nearly as much as Acegi but can
>> handle most general AA problems:
>>
>> http://berkano.codehaus.org/
>>
>> Zarar
>>
>>
>> On 8/20/07, Roberto Nunnari <ro...@supsi.ch> wrote:
>> > Hi all.
>> >
>> > I need to implement Authentication and Authorization in
>> > a S2 web application, and before reinventing the wheel, I'd
>> > like to ask the list for hints and advice.
>> >
>> > 1) Is there built-in support in Struts2 for Authentication and
>> > Authorization?
>> >
>> > 2) What are the best practices for AA in S2?
>> >
>> > 3) Is JAAS be a practical way in S2?
>> >
>> > More details:
>> > - The application lets the users dynamically register as members
>> > - In the application, the members can be part of one of two or three
>> > groups (roles)
>> > - unauthenticated users can only view some global data
>> > - authenticated users can change some of their own data
>> > - authenticated users can view some of other members data
>> > - the authenticated users can add global content
>> > - authenticated users in more privileged roles can change some global
>> data
>> > - authenticated users in the admin role, can do anything
>> >
>> > Thank you.
>> >
>> > --
>> > Robi
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> > For additional commands, e-mail: user-help@struts.apache.org
>> >
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>
>
> --
> Alvaro Sanchez-Mariscal Arnaiz
> Java EE Architect & Instructor
> alvaro.sanchezmariscal@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Authentication-and-Authorization-in-S2-tf4300234.html#a12294512
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Authentication and Authorization in S2
Posted by Roberto Nunnari <ro...@supsi.ch>.
Thank you very much Zarar and Alvaro for your hints.
Yes. I'm using spring, and I'll take a look at Acegi, and maybe
Berkano, too.
Best regards.
--
Robi.
I'll take a look at the
Alvaro Sanchez-Mariscal wrote:
> I agree. You should first try Acegi.
>
> If your auth needs are very specific, you can always develop a custom
> interceptor.
>
> Alvaro.
>
> On 8/20/07, Zarar Siddiqi <za...@gmail.com> wrote:
>> If you're using Spring, it's probably a great idea to use Acegi
>> Security to handle authentication/authorization. I can't think of
>> anything it can't do.
>>
>> http://www.acegisecurity.org/
>>
>> There's also Berkano which doesn't do nearly as much as Acegi but can
>> handle most general AA problems:
>>
>> http://berkano.codehaus.org/
>>
>> Zarar
>>
>>
>> On 8/20/07, Roberto Nunnari <ro...@supsi.ch> wrote:
>>> Hi all.
>>>
>>> I need to implement Authentication and Authorization in
>>> a S2 web application, and before reinventing the wheel, I'd
>>> like to ask the list for hints and advice.
>>>
>>> 1) Is there built-in support in Struts2 for Authentication and
>>> Authorization?
>>>
>>> 2) What are the best practices for AA in S2?
>>>
>>> 3) Is JAAS be a practical way in S2?
>>>
>>> More details:
>>> - The application lets the users dynamically register as members
>>> - In the application, the members can be part of one of two or three
>>> groups (roles)
>>> - unauthenticated users can only view some global data
>>> - authenticated users can change some of their own data
>>> - authenticated users can view some of other members data
>>> - the authenticated users can add global content
>>> - authenticated users in more privileged roles can change some global data
>>> - authenticated users in the admin role, can do anything
>>>
>>> Thank you.
>>>
>>> --
>>> Robi
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: user-help@struts.apache.org
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Authentication and Authorization in S2
Posted by Alvaro Sanchez-Mariscal <al...@gmail.com>.
I agree. You should first try Acegi.
If your auth needs are very specific, you can always develop a custom
interceptor.
Alvaro.
On 8/20/07, Zarar Siddiqi <za...@gmail.com> wrote:
> If you're using Spring, it's probably a great idea to use Acegi
> Security to handle authentication/authorization. I can't think of
> anything it can't do.
>
> http://www.acegisecurity.org/
>
> There's also Berkano which doesn't do nearly as much as Acegi but can
> handle most general AA problems:
>
> http://berkano.codehaus.org/
>
> Zarar
>
>
> On 8/20/07, Roberto Nunnari <ro...@supsi.ch> wrote:
> > Hi all.
> >
> > I need to implement Authentication and Authorization in
> > a S2 web application, and before reinventing the wheel, I'd
> > like to ask the list for hints and advice.
> >
> > 1) Is there built-in support in Struts2 for Authentication and
> > Authorization?
> >
> > 2) What are the best practices for AA in S2?
> >
> > 3) Is JAAS be a practical way in S2?
> >
> > More details:
> > - The application lets the users dynamically register as members
> > - In the application, the members can be part of one of two or three
> > groups (roles)
> > - unauthenticated users can only view some global data
> > - authenticated users can change some of their own data
> > - authenticated users can view some of other members data
> > - the authenticated users can add global content
> > - authenticated users in more privileged roles can change some global data
> > - authenticated users in the admin role, can do anything
> >
> > Thank you.
> >
> > --
> > Robi
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
Alvaro Sanchez-Mariscal Arnaiz
Java EE Architect & Instructor
alvaro.sanchezmariscal@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Authentication and Authorization in S2
Posted by Zarar Siddiqi <za...@gmail.com>.
If you're using Spring, it's probably a great idea to use Acegi
Security to handle authentication/authorization. I can't think of
anything it can't do.
http://www.acegisecurity.org/
There's also Berkano which doesn't do nearly as much as Acegi but can
handle most general AA problems:
http://berkano.codehaus.org/
Zarar
On 8/20/07, Roberto Nunnari <ro...@supsi.ch> wrote:
> Hi all.
>
> I need to implement Authentication and Authorization in
> a S2 web application, and before reinventing the wheel, I'd
> like to ask the list for hints and advice.
>
> 1) Is there built-in support in Struts2 for Authentication and
> Authorization?
>
> 2) What are the best practices for AA in S2?
>
> 3) Is JAAS be a practical way in S2?
>
> More details:
> - The application lets the users dynamically register as members
> - In the application, the members can be part of one of two or three
> groups (roles)
> - unauthenticated users can only view some global data
> - authenticated users can change some of their own data
> - authenticated users can view some of other members data
> - the authenticated users can add global content
> - authenticated users in more privileged roles can change some global data
> - authenticated users in the admin role, can do anything
>
> Thank you.
>
> --
> Robi
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org