security roles per action mapping

[Alexis Gallagher <al...@yahoo.com>]

Hello,

I've gotten a lot of help just lurking on this list,
so I'm hoping my first question isn't too off base.

I am trying to use the action "roles" parameter to
define fine-grained security constraints. However,
these constraints will apply to security roles which
are defined programmatically within my webapp and
which are net registered with the server's security
realm.

So I'm wondering, is there a way to stop the server
from checking the "roles" parameter for its own
purposes, so that I can hijack it for my own?

If I seem not just confused but totally off-base, I'll
stick the gory details of why I'm trying to do this in
a P.S..

Thanks,
Alexis Gallagher

p.s. 
Why would I want to do disable the server's check of
security roles? Well, in my system every user can
belong to multiple projects, but he can only browse
one project at a time. A user has both a global
security role (admin vs. non-admin) but also a
per-project security role (manager vs. member, etc.). 

My understanding is that container-managed security is
not intended to support a situation where a user's
role might changing depending on their position
session state (that is, what project they're
browsing). Also, container-managed security doesn't
have a vendor-neutral realm implementation.

Nevertheless, it would be very convenient to
declaritively configure all these security
constraints, and I can just put the security logic my
action base class.



__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: security roles per action mapping

[Eddie Bush <ek...@swbell.net>]

Bah!  Your web.xml - not your server.xml.  I know what I'm talking 
about, I'm just experiencing technical difficulties in the broadcasting 
department! LOL

Your web.xml holds all your role data and constraints, so using 
traditional CMA, you'd have to modify that file and restart the app 
every time you added a project.  If that's a good solution for you 
(projects don't get added often) then it may be the easiest, most 
straight-forward way to go about it.  I suspect you'll find that less 
than ideal though - and I believe the filter/wrapper approach would fit 
the ticket.

-- 
Eddie Bush




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: security roles per action mapping

[Alexis Gallagher <al...@yahoo.com>]

Eddie & Vicc,

Thanks for your help on this. It got me started in the
right direction, and I found a solution that I thought
I'd share in case it's useful to someone else.

In the end, I created a custom subclass of
RequestProcess that overrides the processRoles() and
always returns true. It's less than 10 lines of code
in the end. This allows requests to reach my Action
base class, which reads the action roles attributes
and applies its own security logic.

Because the app was throwing me to the Tomcat
authentication error pages, I thought that Tomcat
container-managed security (CMS) was intercepting the
messages. This was false, and started me down the
blind alley of fiddling with constraints in web.xml.

But when I chased all the references to
ActionMapping.getRoles(), I found that Struts itself
was invoking tomcat's CMS by calling
HttpServletRequest.isUserInRole() in the
RequestProcessor class. Subclassing RequestProcessor
solves this problem.

I expect it would also work to filter requests and
override isUserInRole(). This is nice because it
doesn't involve customizing struts itself, but worries
me because it prevents me from actually using CMS if I
want to later on. Also, the filter class, the custom
request subclass, and the web.xml configs leave more
room for error.

Thanks for the help!

Alexis
Like following a trail of


--- Eddie Bush <ek...@swbell.net> wrote:
> Alexis Gallagher wrote:
> 
> >Hello,
> >
> >I've gotten a lot of help just lurking on this
> list,
> >so I'm hoping my first question isn't too off base.
> >
> >I am trying to use the action "roles" parameter to
> >define fine-grained security constraints. However,
> >these constraints will apply to security roles
> which
> >are defined programmatically within my webapp and
> >which are net registered with the server's security
> >realm.
> >
> >So I'm wondering, is there a way to stop the server
> >from checking the "roles" parameter for its own
> >purposes, so that I can hijack it for my own?
> >
> >If I seem not just confused but totally off-base,
> I'll
> >stick the gory details of why I'm trying to do this
> in
> >a P.S..
> >
> You could write a filter and provide wrappers for
> the request that would 
> let you override the important functions.
> 
> >Thanks,
> >Alexis Gallagher
> >
> >p.s. 
> >Why would I want to do disable the server's check
> of
> >security roles? Well, in my system every user can
> >belong to multiple projects, but he can only browse
> >one project at a time. A user has both a global
> >security role (admin vs. non-admin) but also a
> >per-project security role (manager vs. member,
> etc.). 
> >
> >My understanding is that container-managed security
> is
> >not intended to support a situation where a user's
> >role might changing depending on their position
> >session state (that is, what project they're
> >browsing). Also, container-managed security doesn't
> >have a vendor-neutral realm implementation.
> >
> >Nevertheless, it would be very convenient to
> >declaritively configure all these security
> >constraints, and I can just put the security logic
> my
> >action base class.
> >
> Well, I think the thing to do would be to maybe come
> up with some 
> additional roles for each project.  No, wait, you'd
> have to be modifying 
> your server config for every project.  Nevermind
> that ...
> 
> It smells like you really do need a custom solution.
>  I think probably 
> writing a filter to wrap the request so you can
> override isUserInRole 
> would probably be the way to go.  You could then
> implement that method 
> (and any others you needed to) so that it would
> return the appropriate 
> result - after having consulted your database. 
> Ideally, what would 
> happen is you would load all roles associated with
> the user in something 
> (Map perhaps) and then just consult that
> (map.containsKey(roleName)). 
>  That way you're offsetting hitting the database for
> each request.  Of 
> course, if roles were added after a person logged
> in, they wouldn't have 
> them loaded.  The user would have to relog to effect
> the change.
> 
> See version 2.3 of the servlet specification and the
> J2EE tutorial for 
> information about writing a filter that would do
> what you need to do. 
>  You're looking at using a Filter and ... what is it
> called ... 
> HttpServletRequestWrapper?  That's close, I believe.
> 
> I feel like maybe there's a better solution to this
> - but it doesn't 
> occur to me what it might be.  Hopefully someone
> else has further insight.
> 
> -- 
> Eddie Bush
> 
> 
> 
> 
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> 


__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: security roles per action mapping

[Eddie Bush <ek...@swbell.net>]

Alexis Gallagher wrote:

>Hello,
>
>I've gotten a lot of help just lurking on this list,
>so I'm hoping my first question isn't too off base.
>
>I am trying to use the action "roles" parameter to
>define fine-grained security constraints. However,
>these constraints will apply to security roles which
>are defined programmatically within my webapp and
>which are net registered with the server's security
>realm.
>
>So I'm wondering, is there a way to stop the server
>from checking the "roles" parameter for its own
>purposes, so that I can hijack it for my own?
>
>If I seem not just confused but totally off-base, I'll
>stick the gory details of why I'm trying to do this in
>a P.S..
>
You could write a filter and provide wrappers for the request that would 
let you override the important functions.

>Thanks,
>Alexis Gallagher
>
>p.s. 
>Why would I want to do disable the server's check of
>security roles? Well, in my system every user can
>belong to multiple projects, but he can only browse
>one project at a time. A user has both a global
>security role (admin vs. non-admin) but also a
>per-project security role (manager vs. member, etc.). 
>
>My understanding is that container-managed security is
>not intended to support a situation where a user's
>role might changing depending on their position
>session state (that is, what project they're
>browsing). Also, container-managed security doesn't
>have a vendor-neutral realm implementation.
>
>Nevertheless, it would be very convenient to
>declaritively configure all these security
>constraints, and I can just put the security logic my
>action base class.
>
Well, I think the thing to do would be to maybe come up with some 
additional roles for each project.  No, wait, you'd have to be modifying 
your server config for every project.  Nevermind that ...

It smells like you really do need a custom solution.  I think probably 
writing a filter to wrap the request so you can override isUserInRole 
would probably be the way to go.  You could then implement that method 
(and any others you needed to) so that it would return the appropriate 
result - after having consulted your database.  Ideally, what would 
happen is you would load all roles associated with the user in something 
(Map perhaps) and then just consult that (map.containsKey(roleName)). 
 That way you're offsetting hitting the database for each request.  Of 
course, if roles were added after a person logged in, they wouldn't have 
them loaded.  The user would have to relog to effect the change.

See version 2.3 of the servlet specification and the J2EE tutorial for 
information about writing a filter that would do what you need to do. 
 You're looking at using a Filter and ... what is it called ... 
HttpServletRequestWrapper?  That's close, I believe.

I feel like maybe there's a better solution to this - but it doesn't 
occur to me what it might be.  Hopefully someone else has further insight.

-- 
Eddie Bush




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: security roles per action mapping

["V. Cekvenich" <vi...@users.sourceforge.net>]

One aproach:
make all the users is a single role for CMA.
In first action, make a getUserPricipal, and store in session bean (I 
also have getFullName in there, so I display in header loged in user name)
the Session bean, add methods for getProjectRole() that calls dao to 
find this.

Based on sesionBean.getProejctRole(), your action/controller can do 
things like
formBean.find(sessionBean.getProjectRole()) to only find things that are 
relevant.
The book FastTrack to Struts, has a chapter on this, and also how to 
make this row based updates or row based RO

.V

Alexis Gallagher wrote:
> Hello,
> 
> I've gotten a lot of help just lurking on this list,
> so I'm hoping my first question isn't too off base.
> 
> I am trying to use the action "roles" parameter to
> define fine-grained security constraints. However,
> these constraints will apply to security roles which
> are defined programmatically within my webapp and
> which are net registered with the server's security
> realm.
> 
> So I'm wondering, is there a way to stop the server
> from checking the "roles" parameter for its own
> purposes, so that I can hijack it for my own?
> 
> If I seem not just confused but totally off-base, I'll
> stick the gory details of why I'm trying to do this in
> a P.S..
> 
> Thanks,
> Alexis Gallagher
> 
> p.s. 
> Why would I want to do disable the server's check of
> security roles? Well, in my system every user can
> belong to multiple projects, but he can only browse
> one project at a time. A user has both a global
> security role (admin vs. non-admin) but also a
> per-project security role (manager vs. member, etc.). 
> 
> My understanding is that container-managed security is
> not intended to support a situation where a user's
> role might changing depending on their position
> session state (that is, what project they're
> browsing). Also, container-managed security doesn't
> have a vendor-neutral realm implementation.
> 
> Nevertheless, it would be very convenient to
> declaritively configure all these security
> constraints, and I can just put the security logic my
> action base class.
> 
> 
> 
> __________________________________________________
> Do you Yahoo!?
> New DSL Internet Access from SBC & Yahoo!
> http://sbc.yahoo.com




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>