You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Geddes, Mark (ANTS)" <ma...@ants.co.uk> on 2001/06/18 18:25:25 UTC
Multiple security constraints
This is not a struts specific question, so feel free to switch off now.
However, readers of this list are definitely the most focused and clued-up
on JSP/Servlet issues.
I am trying to implement various levels of container managed security within
my site. I would like to restrict access to the whole site to specific
roles, and then restrict certain resources within the site to a subset of
those roles. So,as an example I may have two <security-constraint>
definitions:
<security-constraint>
<web-resource-collection>
<web-resource-name>The Whole Site</web-resource-name>
<description>This ensures that only valid users are allowed access to
the site</description>
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>no description</description>
<role-name>RoleA</role-name>
<role-name>RoleB</role-name>
<role-name>RoleC</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>RoleA Only</web-resource-name>
<description>Actions only available to RoleA</description>
<url-pattern>/secureAction1.do</url-pattern>
<url-pattern>/secureAction2.do</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>no description</description>
<role-name>RoleA</role-name>
</auth-constraint>
</security-constraint>
<login-config auth-method='BASIC'>
<realm-name>default</realm-name>
</login-config>
To get access to the site you would need to be in either RoleA, RoleB or
RoleC. To be able to perform secureAction1.do or secureAction2.do, you would
need to be in RoleA.
When I run this app under Resin, it behaves exactly as I would imagine. I am
prompted for authentication when I first access the site, and from then on
it knows which roles I belong to. If I am a member of RoleB, but not RoleA,
I am denied access when I try to perform /secureAction1.do (Error 403).
When I run the app under WebLogic6.0, I am prompted for authentication when
I first access the site, and then again when I attempt to access areas to
which I do not have access. It is giving me the chance to authenticate
myself again, despite the fact that I have already done so.
The net result is the same, but the user experience is very different.
I have read the Servlet2.2 spec again to find any clues, but I suspect that
this is just one of those areas where the vendor is free to implement the
requirements however they wish. If this is the case then I am looking
forward to the Struts1.1 enhancement, so that I can bring this under my
control.
Is anyone able to shed light on this area?
Mark
p.s. 1.0 Final. - Thanks to all the developers for a great framework.
***************************************************************************
This email message contains confidential information for the above addressee only. If you are not the intended addressee you must not disclose or use the information in any manner whatsoever.
Any opinion or views contained in this email message are those of the sender, do not represent those of the Company in any way and reliance should not be placed upon its contents.
Unless otherwise stated this email message is not intended to be contractually binding. Where an Agreement exists between our respective companies and there is conflict between the contents of this email message and the Agreement then the terms of that Agreement shall prevail.
Abbey National Treasury Services plc. Registered in England. Registered Office: Abbey House, Baker Street, London NW1 6XL. Company Registration No: 2338548. Regulated by the SFA
***************************************************************************