You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Thomas Hamacher <th...@qualigo.de> on 2006/08/29 10:40:25 UTC
Best way to secure struts-webapps?
Hi everyone,
I think I have a very basic question here, but after spending some time with
google I haven´t found a real solution to this question: What is the best way
to secure a struts webapplication to be sure, that only logged in users are
allowed to do some special action and access some special pages?
I found 3 possibilities, from what some of them seem to be a solution from
older struts versions.
- Extend the RequestProcessor and do a programmatic security-check
- Use a Filter to do the security check
- Extend all Actions from a customized BaseAction, that does the security
check.
But all of this seems a bit strange to me. As security is a standard-problem
in every webapplication and there are a lot of people who thought about
solutions (JAAS) I can´t believe, that I have to extend the struts-framework
myself to provide some security issues.
So what would you recommend if you want to do a real secure application with
struts, together with tiles and want to be sure, that no pages or actions are
used without permission? And all of this independent, if I use a Tomcat, a
Resin or maybe a JBoss as my struts-web-server.
Do you have any informations, examples or URL´s who have a real solution to
this?
THank you very much
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Best way to secure struts-webapps?
Posted by Chris Pratt <th...@gmail.com>.
You might look into the Security Filter project at SourceForge (
http://securityfilter.sourceforge.net/), we're using it and it seems to work
very nicely.
(*Chris*)
On 11/26/06, nirmal_hbti <ni...@rediffmail.com> wrote:
>
>
> Hi,
>
> What is the best way to secure struts-webapps without Container Managed
> Security?
> I have heard of the following possible options but I am confused as to
> choose which one:
>
> 1. Using Filters.
> 2. Override one of the process methods in the ProcessRequest.
> 3. Make a base action where you check for your criteria in every action's
> execute() method. Then have it invoke a custom "myExecute()" method which
> is where you would put the code you normally put in execute().
>
> I am confused as to choose which one because I want the security to be of
> the Application-level and I dont wanna use any Container Managed Security.
> Also in my application I have different roles and each role has a separate
> set of priviliges like Admin, Customer, Account Manager. I want the
> different menus or options to be available only if the login user is in
> that
> role.
>
> Nirmal Kumar
>
>
>
>
>
> Li-3 wrote:
> >
> > I guess the best practise for secure struts webapp can never be answered
> > by
> > listing a few items of "what to do and how to do". It is a complicated
> > topic
> > and has many situation like for LAN, WAN ...
> >
> > Besides, will struts continue its development rather than enhancement?
> Or
> > webwork will replace it sooner or later.
> >
> >
> > On 8/29/06, Li <am...@gmail.com> wrote:
> >>
> >> put secure page under /web-inf
> >>
> >> you can create a tag for checking session validation and/or user
> object.
> >>
> >>
> >>
> >>
> >> On 8/29/06, Leon Rosenberg < rosenberg.leon@googlemail.com> wrote:
> >> >
> >> > The options number 2 and 3 (filter and action) sound both very hale
> to
> >> > me.
> >> > If you just want to separate between logged in and not logged in
> users
> >> > i would go for option 2.
> >> > If you need fine-grained separation go for baseaction and make not
> >> > only login check but also for action-dependant permissions.
> >> >
> >> > regards
> >> > Leon
> >> >
> >> > On 8/29/06, Thomas Hamacher <th...@qualigo.de> wrote:
> >> > > Hi everyone,
> >> > >
> >> > > I think I have a very basic question here, but after spending some
> >> > time with
> >> > > google I haven´t found a real solution to this question: What is
> the
> >> > best way
> >> > > to secure a struts webapplication to be sure, that only logged in
> >> > users are
> >> > > allowed to do some special action and access some special pages?
> >> > >
> >> > > I found 3 possibilities, from what some of them seem to be a
> solution
> >> > from
> >> > > older struts versions.
> >> > >
> >> > > - Extend the RequestProcessor and do a programmatic security-check
> >> > > - Use a Filter to do the security check
> >> > > - Extend all Actions from a customized BaseAction, that does the
> >> > security
> >> > > check.
> >> > >
> >> > > But all of this seems a bit strange to me. As security is a
> >> > standard-problem
> >> > > in every webapplication and there are a lot of people who thought
> >> > about
> >> > > solutions (JAAS) I can´t believe, that I have to extend the
> >> > struts-framework
> >> > > myself to provide some security issues.
> >> > >
> >> > > So what would you recommend if you want to do a real secure
> >> > application with
> >> > > struts, together with tiles and want to be sure, that no pages or
> >> > actions are
> >> > > used without permission? And all of this independent, if I use a
> >> > Tomcat, a
> >> > > Resin or maybe a JBoss as my struts-web-server.
> >> > >
> >> > > Do you have any informations, examples or URL´s who have a real
> >> > solution to
> >> > > this?
> >> > >
> >> > > THank you very much
> >> > >
> >> > > Thomas
> >> > >
> >> > >
> ---------------------------------------------------------------------
> >> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> > > For additional commands, e-mail: user-help@struts.apache.org
> >> > >
> >> > >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >> > For additional commands, e-mail: user-help@struts.apache.org
> >> >
> >> >
> >>
> >>
> >> --
> >> When we invent time, we invent death.
> >>
> >
> >
> >
> > --
> > When we invent time, we invent death.
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Best-way-to-secure-struts-webapps--tf2182171.html#a7555589
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Best way to secure struts-webapps?
Posted by nirmal_hbti <ni...@rediffmail.com>.
Hi,
What is the best way to secure struts-webapps without Container Managed
Security?
I have heard of the following possible options but I am confused as to
choose which one:
1. Using Filters.
2. Override one of the process methods in the ProcessRequest.
3. Make a base action where you check for your criteria in every action's
execute() method. Then have it invoke a custom "myExecute()" method which
is where you would put the code you normally put in execute().
I am confused as to choose which one because I want the security to be of
the Application-level and I dont wanna use any Container Managed Security.
Also in my application I have different roles and each role has a separate
set of priviliges like Admin, Customer, Account Manager. I want the
different menus or options to be available only if the login user is in that
role.
Nirmal Kumar
Li-3 wrote:
>
> I guess the best practise for secure struts webapp can never be answered
> by
> listing a few items of "what to do and how to do". It is a complicated
> topic
> and has many situation like for LAN, WAN ...
>
> Besides, will struts continue its development rather than enhancement? Or
> webwork will replace it sooner or later.
>
>
> On 8/29/06, Li <am...@gmail.com> wrote:
>>
>> put secure page under /web-inf
>>
>> you can create a tag for checking session validation and/or user object.
>>
>>
>>
>>
>> On 8/29/06, Leon Rosenberg < rosenberg.leon@googlemail.com> wrote:
>> >
>> > The options number 2 and 3 (filter and action) sound both very hale to
>> > me.
>> > If you just want to separate between logged in and not logged in users
>> > i would go for option 2.
>> > If you need fine-grained separation go for baseaction and make not
>> > only login check but also for action-dependant permissions.
>> >
>> > regards
>> > Leon
>> >
>> > On 8/29/06, Thomas Hamacher <th...@qualigo.de> wrote:
>> > > Hi everyone,
>> > >
>> > > I think I have a very basic question here, but after spending some
>> > time with
>> > > google I haven´t found a real solution to this question: What is the
>> > best way
>> > > to secure a struts webapplication to be sure, that only logged in
>> > users are
>> > > allowed to do some special action and access some special pages?
>> > >
>> > > I found 3 possibilities, from what some of them seem to be a solution
>> > from
>> > > older struts versions.
>> > >
>> > > - Extend the RequestProcessor and do a programmatic security-check
>> > > - Use a Filter to do the security check
>> > > - Extend all Actions from a customized BaseAction, that does the
>> > security
>> > > check.
>> > >
>> > > But all of this seems a bit strange to me. As security is a
>> > standard-problem
>> > > in every webapplication and there are a lot of people who thought
>> > about
>> > > solutions (JAAS) I can´t believe, that I have to extend the
>> > struts-framework
>> > > myself to provide some security issues.
>> > >
>> > > So what would you recommend if you want to do a real secure
>> > application with
>> > > struts, together with tiles and want to be sure, that no pages or
>> > actions are
>> > > used without permission? And all of this independent, if I use a
>> > Tomcat, a
>> > > Resin or maybe a JBoss as my struts-web-server.
>> > >
>> > > Do you have any informations, examples or URL´s who have a real
>> > solution to
>> > > this?
>> > >
>> > > THank you very much
>> > >
>> > > Thomas
>> > >
>> > > ---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> > > For additional commands, e-mail: user-help@struts.apache.org
>> > >
>> > >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> > For additional commands, e-mail: user-help@struts.apache.org
>> >
>> >
>>
>>
>> --
>> When we invent time, we invent death.
>>
>
>
>
> --
> When we invent time, we invent death.
>
>
--
View this message in context: http://www.nabble.com/Best-way-to-secure-struts-webapps--tf2182171.html#a7555589
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Best way to secure struts-webapps?
Posted by Li <am...@gmail.com>.
I guess the best practise for secure struts webapp can never be answered by
listing a few items of "what to do and how to do". It is a complicated topic
and has many situation like for LAN, WAN ...
Besides, will struts continue its development rather than enhancement? Or
webwork will replace it sooner or later.
On 8/29/06, Li <am...@gmail.com> wrote:
>
> put secure page under /web-inf
>
> you can create a tag for checking session validation and/or user object.
>
>
>
>
> On 8/29/06, Leon Rosenberg < rosenberg.leon@googlemail.com> wrote:
> >
> > The options number 2 and 3 (filter and action) sound both very hale to
> > me.
> > If you just want to separate between logged in and not logged in users
> > i would go for option 2.
> > If you need fine-grained separation go for baseaction and make not
> > only login check but also for action-dependant permissions.
> >
> > regards
> > Leon
> >
> > On 8/29/06, Thomas Hamacher <th...@qualigo.de> wrote:
> > > Hi everyone,
> > >
> > > I think I have a very basic question here, but after spending some
> > time with
> > > google I haven´t found a real solution to this question: What is the
> > best way
> > > to secure a struts webapplication to be sure, that only logged in
> > users are
> > > allowed to do some special action and access some special pages?
> > >
> > > I found 3 possibilities, from what some of them seem to be a solution
> > from
> > > older struts versions.
> > >
> > > - Extend the RequestProcessor and do a programmatic security-check
> > > - Use a Filter to do the security check
> > > - Extend all Actions from a customized BaseAction, that does the
> > security
> > > check.
> > >
> > > But all of this seems a bit strange to me. As security is a
> > standard-problem
> > > in every webapplication and there are a lot of people who thought
> > about
> > > solutions (JAAS) I can´t believe, that I have to extend the
> > struts-framework
> > > myself to provide some security issues.
> > >
> > > So what would you recommend if you want to do a real secure
> > application with
> > > struts, together with tiles and want to be sure, that no pages or
> > actions are
> > > used without permission? And all of this independent, if I use a
> > Tomcat, a
> > > Resin or maybe a JBoss as my struts-web-server.
> > >
> > > Do you have any informations, examples or URL´s who have a real
> > solution to
> > > this?
> > >
> > > THank you very much
> > >
> > > Thomas
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > > For additional commands, e-mail: user-help@struts.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
>
> --
> When we invent time, we invent death.
>
--
When we invent time, we invent death.
Re: Best way to secure struts-webapps?
Posted by Li <am...@gmail.com>.
put secure page under /web-inf
you can create a tag for checking session validation and/or user object.
On 8/29/06, Leon Rosenberg <ro...@googlemail.com> wrote:
>
> The options number 2 and 3 (filter and action) sound both very hale to me.
> If you just want to separate between logged in and not logged in users
> i would go for option 2.
> If you need fine-grained separation go for baseaction and make not
> only login check but also for action-dependant permissions.
>
> regards
> Leon
>
> On 8/29/06, Thomas Hamacher <th...@qualigo.de> wrote:
> > Hi everyone,
> >
> > I think I have a very basic question here, but after spending some time
> with
> > google I haven´t found a real solution to this question: What is the
> best way
> > to secure a struts webapplication to be sure, that only logged in users
> are
> > allowed to do some special action and access some special pages?
> >
> > I found 3 possibilities, from what some of them seem to be a solution
> from
> > older struts versions.
> >
> > - Extend the RequestProcessor and do a programmatic security-check
> > - Use a Filter to do the security check
> > - Extend all Actions from a customized BaseAction, that does the
> security
> > check.
> >
> > But all of this seems a bit strange to me. As security is a
> standard-problem
> > in every webapplication and there are a lot of people who thought about
> > solutions (JAAS) I can´t believe, that I have to extend the
> struts-framework
> > myself to provide some security issues.
> >
> > So what would you recommend if you want to do a real secure application
> with
> > struts, together with tiles and want to be sure, that no pages or
> actions are
> > used without permission? And all of this independent, if I use a Tomcat,
> a
> > Resin or maybe a JBoss as my struts-web-server.
> >
> > Do you have any informations, examples or URL´s who have a real solution
> to
> > this?
> >
> > THank you very much
> >
> > Thomas
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
When we invent time, we invent death.
Re: Best way to secure struts-webapps?
Posted by Leon Rosenberg <ro...@googlemail.com>.
The options number 2 and 3 (filter and action) sound both very hale to me.
If you just want to separate between logged in and not logged in users
i would go for option 2.
If you need fine-grained separation go for baseaction and make not
only login check but also for action-dependant permissions.
regards
Leon
On 8/29/06, Thomas Hamacher <th...@qualigo.de> wrote:
> Hi everyone,
>
> I think I have a very basic question here, but after spending some time with
> google I haven´t found a real solution to this question: What is the best way
> to secure a struts webapplication to be sure, that only logged in users are
> allowed to do some special action and access some special pages?
>
> I found 3 possibilities, from what some of them seem to be a solution from
> older struts versions.
>
> - Extend the RequestProcessor and do a programmatic security-check
> - Use a Filter to do the security check
> - Extend all Actions from a customized BaseAction, that does the security
> check.
>
> But all of this seems a bit strange to me. As security is a standard-problem
> in every webapplication and there are a lot of people who thought about
> solutions (JAAS) I can´t believe, that I have to extend the struts-framework
> myself to provide some security issues.
>
> So what would you recommend if you want to do a real secure application with
> struts, together with tiles and want to be sure, that no pages or actions are
> used without permission? And all of this independent, if I use a Tomcat, a
> Resin or maybe a JBoss as my struts-web-server.
>
> Do you have any informations, examples or URL´s who have a real solution to
> this?
>
> THank you very much
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Best way to secure struts-webapps?
Posted by Antonio Petrelli <br...@tariffenet.it>.
Thomas Hamacher ha scritto:
> But as far
> as I read in the internet, there is no good solution to use container managed
> security together with tiles. So if I wanna have a login-box on every page,
> that redirects dynamically to the same page after login I will have some
> trouble with the container managed solution. Is this not true or did I
> misunderstood anything?
>
In the case of Tiles, if your needs are "I need different page
appearence for different roles" then you might be interested in Dimensions.
http://mutidimensions.sf.net/
Ciao
Antonio
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Best way to secure struts-webapps?
Posted by Laurie Harper <la...@holoweb.net>.
Thomas Hamacher wrote:
> Laurie,
>
> thanks for the input. I am aware of the container managed security. But as far
> as I read in the internet, there is no good solution to use container managed
> security together with tiles. So if I wanna have a login-box on every page,
> that redirects dynamically to the same page after login I will have some
> trouble with the container managed solution. Is this not true or did I
> misunderstood anything?
It all depends on exactly what you need to achieve. CMS uses URL
matching, so you'd probably have to have some way to have two distinct
URL mappings for each page, one secured and one not, and have the login
box forward to the secured page -- e.g. if you're on /foo.do, have the
login box forward/redirect to /secure/foo.do. I haven't tried any of
this though, so I'm just guessing at a possible solution.
> And another question to the filter-based solution as Leon also recommended:
> Does this also work if I have different tiles for one page and some of them
> are secured and some aren´t? E.g. I have a tile for an adminMenu, which is
> only loaded if I have a user with admin-roles in the session, but which is
> part of a usual public tiles-page? This way the servlet-filter will never
> find it´s pattern, will it? Is there a simple <logic:present>-Tag combined
> with an entry "role" in the action mapping and role-security-check in the
> RequestProcessor enough security to be sure, only admins access these
> actions? Or is there a way to get around these security-checks, which I
> should keep in mind?
Generating different content based on the current user role is really
orthogonal to how you establish user credentials -- that's access
control as opposed to authentication. Once you have the user
authenticated, be it via CMS, a filter or something else, you can then
employ various techniques (including, but not limited to, Antonio's
Dimensions project) to control the visibility of content.
L.
> Thank you very much
>
> Thomas
>
>
> Am Dienstag, 29. August 2006 22:01 schrieb Laurie Harper:
>> You left container managed security off your list; that's the most
>> 'standard' solution, but isn't necessarily the most portable since parts
>> are container implementation defined. A filter is probably the most
>> flexible alternative if container managed security isn't viable, but it
>> really depends on your exact security requirements.
>>
>> This is a topic that's discussed alot, both here on the Struts lists,
>> and in other web development forums, so I'd recommend doing some reading
>> to get a feel for the solutions others have used and their tradeoffs.
>>
>> L.
>>
>> Thomas Hamacher wrote:
>>> Hi everyone,
>>>
>>> I think I have a very basic question here, but after spending some time
>>> with google I haven´t found a real solution to this question: What is the
>>> best way to secure a struts webapplication to be sure, that only logged
>>> in users are allowed to do some special action and access some special
>>> pages?
>>>
>>> I found 3 possibilities, from what some of them seem to be a solution
>>> from older struts versions.
>>>
>>> - Extend the RequestProcessor and do a programmatic security-check
>>> - Use a Filter to do the security check
>>> - Extend all Actions from a customized BaseAction, that does the security
>>> check.
>>>
>>> But all of this seems a bit strange to me. As security is a
>>> standard-problem in every webapplication and there are a lot of people
>>> who thought about solutions (JAAS) I can´t believe, that I have to extend
>>> the struts-framework myself to provide some security issues.
>>>
>>> So what would you recommend if you want to do a real secure application
>>> with struts, together with tiles and want to be sure, that no pages or
>>> actions are used without permission? And all of this independent, if I
>>> use a Tomcat, a Resin or maybe a JBoss as my struts-web-server.
>>>
>>> Do you have any informations, examples or URL´s who have a real solution
>>> to this?
>>>
>>> THank you very much
>>>
>>> Thomas
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Best way to secure struts-webapps?
Posted by Thomas Hamacher <th...@qualiads.de>.
Laurie,
thanks for the input. I am aware of the container managed security. But as far
as I read in the internet, there is no good solution to use container managed
security together with tiles. So if I wanna have a login-box on every page,
that redirects dynamically to the same page after login I will have some
trouble with the container managed solution. Is this not true or did I
misunderstood anything?
And another question to the filter-based solution as Leon also recommended:
Does this also work if I have different tiles for one page and some of them
are secured and some aren´t? E.g. I have a tile for an adminMenu, which is
only loaded if I have a user with admin-roles in the session, but which is
part of a usual public tiles-page? This way the servlet-filter will never
find it´s pattern, will it? Is there a simple <logic:present>-Tag combined
with an entry "role" in the action mapping and role-security-check in the
RequestProcessor enough security to be sure, only admins access these
actions? Or is there a way to get around these security-checks, which I
should keep in mind?
Thank you very much
Thomas
Am Dienstag, 29. August 2006 22:01 schrieb Laurie Harper:
> You left container managed security off your list; that's the most
> 'standard' solution, but isn't necessarily the most portable since parts
> are container implementation defined. A filter is probably the most
> flexible alternative if container managed security isn't viable, but it
> really depends on your exact security requirements.
>
> This is a topic that's discussed alot, both here on the Struts lists,
> and in other web development forums, so I'd recommend doing some reading
> to get a feel for the solutions others have used and their tradeoffs.
>
> L.
>
> Thomas Hamacher wrote:
> > Hi everyone,
> >
> > I think I have a very basic question here, but after spending some time
> > with google I haven´t found a real solution to this question: What is the
> > best way to secure a struts webapplication to be sure, that only logged
> > in users are allowed to do some special action and access some special
> > pages?
> >
> > I found 3 possibilities, from what some of them seem to be a solution
> > from older struts versions.
> >
> > - Extend the RequestProcessor and do a programmatic security-check
> > - Use a Filter to do the security check
> > - Extend all Actions from a customized BaseAction, that does the security
> > check.
> >
> > But all of this seems a bit strange to me. As security is a
> > standard-problem in every webapplication and there are a lot of people
> > who thought about solutions (JAAS) I can´t believe, that I have to extend
> > the struts-framework myself to provide some security issues.
> >
> > So what would you recommend if you want to do a real secure application
> > with struts, together with tiles and want to be sure, that no pages or
> > actions are used without permission? And all of this independent, if I
> > use a Tomcat, a Resin or maybe a JBoss as my struts-web-server.
> >
> > Do you have any informations, examples or URL´s who have a real solution
> > to this?
> >
> > THank you very much
> >
> > Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
--
Mit freundlichen Grüßen
Thomas Hamacher
-----------------------------
Thomas Hamacher
QualiGO GmbH
Bleicherstrasse 20
D-78467 Konstanz
Germany
fon: +49-(0)7531-89207-0
fax: +49-(0)7531-89207-13
mail: tha@qualigo.de
www: www.qualigo.de
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Best way to secure struts-webapps?
Posted by Laurie Harper <la...@holoweb.net>.
You left container managed security off your list; that's the most
'standard' solution, but isn't necessarily the most portable since parts
are container implementation defined. A filter is probably the most
flexible alternative if container managed security isn't viable, but it
really depends on your exact security requirements.
This is a topic that's discussed alot, both here on the Struts lists,
and in other web development forums, so I'd recommend doing some reading
to get a feel for the solutions others have used and their tradeoffs.
L.
Thomas Hamacher wrote:
> Hi everyone,
>
> I think I have a very basic question here, but after spending some time with
> google I haven´t found a real solution to this question: What is the best way
> to secure a struts webapplication to be sure, that only logged in users are
> allowed to do some special action and access some special pages?
>
> I found 3 possibilities, from what some of them seem to be a solution from
> older struts versions.
>
> - Extend the RequestProcessor and do a programmatic security-check
> - Use a Filter to do the security check
> - Extend all Actions from a customized BaseAction, that does the security
> check.
>
> But all of this seems a bit strange to me. As security is a standard-problem
> in every webapplication and there are a lot of people who thought about
> solutions (JAAS) I can´t believe, that I have to extend the struts-framework
> myself to provide some security issues.
>
> So what would you recommend if you want to do a real secure application with
> struts, together with tiles and want to be sure, that no pages or actions are
> used without permission? And all of this independent, if I use a Tomcat, a
> Resin or maybe a JBoss as my struts-web-server.
>
> Do you have any informations, examples or URL´s who have a real solution to
> this?
>
> THank you very much
>
> Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org