You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Brugge, John" <jb...@Kraft.com> on 2001/02/26 16:26:12 UTC
RE: Has anyone implemented security and authentication in a Strut
s app?
We are in the process of writing a lightweight framework for role-based
authorization because no other options have panned out. I've searched for
open-source solutions, but find none. As David Geary said, it's not really
rocket science, but to do it well and to make it generalized for different
situations gets harder quickly. That's why there are companies that make a
good living selling packages like Siteminder and ClearTrust.
I'd also suggest thinking about security in a slightly different way, by
taking it out of the realm of the application. Unless you've got very
fine-grained access control requirements, your application will be much more
portable and maintainable if you let someone/something else worry about
"security." Containers are going to have differing schemes until the end of
time, but they are the second-best place to define security (the best being
even further removed, at the web server). For one, security policies are
often the realm of a group completely removed from application development,
and, if they're really serious about it, are very uncomfortable with the
thought of having security implemented within an application - much harder
to audit or verify its stoutness.
More importantly, unless you're at the level of the container, or above, you
can't protect any static pages that might be part of your application, and
you have to put explicit checks in each of your JSPs - forget it in one JSP
and your app is compromised.
All this is to say that if you're writing a framework for your own app or
organization and know what the ground rules are going to be, it's not that
hard. If you want one that's general and covers lots of situations, that is
harder work, and explains why there is slim pickings (unless you've got the
$$ to buy one.) Seems like a niche waiting to be filled for the open source
community....
I hope that's not too much soap-boxing. If you've got more specific
questions, I'd be happy to offer some more concrete ideas.
John Brugge
Senior Specialist, e-Commerce Solutions
Compuware Corporation
Madison, Wisconsin
608-223-3800
John.Brugge@Compuware.com
> -----Original Message-----
> From: Davina and Mac [SMTP:davinaandmac@sympatico.ca]
> Sent: Sunday, February 25, 2001 11:16 AM
> To: struts-user@jakarta.apache.org
> Subject: Has anyone implemented security and authentication in a
> Struts app?
>
> Has anybody out there implemented a roles-based security system in a
> Struts
> application? If so, did you use an existing class library or write your
> own?
> It seems to me that relying on container providers for security schemes
> makes it almost impossible to write portable applications, and Struts/MVC,
> with its single point of access and clearly defined actions would be an
> ideal place to implement security...
> thoughts anyone?
>
> Mac Ferguson
Re: :misssig message key error
Posted by Maya Muchnik <mm...@pumatech.com>.
Your index.jsp file is using ApplicationResources.properties to get
index.title. Check it.
soh syed wrote:
> can anyone help me with the following error!
> thanks
>
> Missing message for key index.title
> at
> org.apache.struts.taglib.bean.MessageTag.doStartTag(MessageTag.java:242)
> at _0002findex_0002ejspindex_jsp
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
:misssig message key error
Posted by soh syed <sy...@yahoo.com>.
can anyone help me with the following error!
thanks
Missing message for key index.title
at
org.apache.struts.taglib.bean.MessageTag.doStartTag(MessageTag.java:242)
at _0002findex_0002ejspindex_jsp
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
RE: Has anyone implemented security and authentication in a Struts app?
Posted by Davina and Mac <da...@sympatico.ca>.
RE: Has anyone implemented security and authentication in a Struts
app?Hmmmm. those are some very good points. The situation i am faced with
now (and have been on a couple of occasions) is porting to MVC a content
management system that is steadily growing in complexity. I have to
implement several roles which will be assigned Create/Read/Update/Delete
rights on various components, eventually there will also be a set of
workflow management permissions as well (Authorize/Publish) probably
attached to the data somehow. So my needs go a ways beyond authentication as
it is implemented in most web servers. The only open-source projects I've
seen that are really related are OpenSymphony's OSUser which is far from
functional, and Caucho's Quercus, which seems to be dependent on Resin's
JNDI services (although I haven't really dug into this code yet). I am
considering starting something based on JAAS and making it available when/if
it becomes workable. It would probably be pretty much geared towards struts
to begin with. If only i didn't have to sleep, then I'd have time for
this...
Thanks,
Mac Ferguson
-----Original Message-----
From: Brugge, John [mailto:jbrugge@Kraft.com]
Sent: Monday, February 26, 2001 10:26 AM
To: 'struts-user@jakarta.apache.org'
Subject: RE: Has anyone implemented security and authentication in a
Struts app?
We are in the process of writing a lightweight framework for role-based
authorization because no other options have panned out. I've searched for
open-source solutions, but find none. As David Geary said, it's not really
rocket science, but to do it well and to make it generalized for different
situations gets harder quickly. That's why there are companies that make a
good living selling packages like Siteminder and ClearTrust.
I'd also suggest thinking about security in a slightly different way, by
taking it out of the realm of the application. Unless you've got very
fine-grained access control requirements, your application will be much more
portable and maintainable if you let someone/something else worry about
"security." Containers are going to have differing schemes until the end of
time, but they are the second-best place to define security (the best being
even further removed, at the web server). For one, security policies are
often the realm of a group completely removed from application development,
and, if they're really serious about it, are very uncomfortable with the
thought of having security implemented within an application - much harder
to audit or verify its stoutness.
More importantly, unless you're at the level of the container, or above,
you can't protect any static pages that might be part of your application,
and you have to put explicit checks in each of your JSPs - forget it in one
JSP and your app is compromised.
All this is to say that if you're writing a framework for your own app or
organization and know what the ground rules are going to be, it's not that
hard. If you want one that's general and covers lots of situations, that is
harder work, and explains why there is slim pickings (unless you've got the
$$ to buy one.) Seems like a niche waiting to be filled for the open source
community....
I hope that's not too much soap-boxing. If you've got more specific
questions, I'd be happy to offer some more concrete ideas.
John Brugge
Senior Specialist, e-Commerce Solutions
Compuware Corporation
Madison, Wisconsin
608-223-3800
John.Brugge@Compuware.com
-----Original Message-----
From: Davina and Mac [SMTP:davinaandmac@sympatico.ca]
Sent: Sunday, February 25, 2001 11:16 AM
To: struts-user@jakarta.apache.org
Subject: Has anyone implemented security and authentication in a
Struts app?
Has anybody out there implemented a roles-based security system in a
Struts
application? If so, did you use an existing class library or write your
own?
It seems to me that relying on container providers for security schemes
makes it almost impossible to write portable applications, and
Struts/MVC,
with its single point of access and clearly defined actions would be an
ideal place to implement security...
thoughts anyone?
Mac Ferguson