Authorization/ Authentication

[Greg Akins <an...@gmail.com>]

I'm just starting to research the appropriate Struts2 way to do
Authorization/Authentication.

Looks like a LoginInterceptor on the default stack is the way to go
(though I found a post at javaranch, by Dave Newton  -
http://www.coderanch.com/t/438760/Struts/Struts-Authentication-Authorization
- that confused me a bit).

I'm still Googling for some more information, but if anyone could
point me to a specific resource it would be greatly appreciated.

Thanks!

-- 
Greg Akins

http://insomnia-consulting.org
http://www.pghcodingdojo.org
http://pittjug.dev.java.net
http://twitter.com/akinsgre
http://www.linkedin.com/in/akinsgre

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Authorization/ Authentication

[Greg Akins <an...@gmail.com>]

On Mon, Dec 27, 2010 at 8:59 AM, Dave Newton <da...@gmail.com> wrote:
> (Let me clarify slightly.)
>

OK, I think I understand.  The Interceptor should check if the session
is authenticated, but should perform the Login.  That's what I would
have done, so maybe that's what confused me.

Thanks for clearing that up.

-- 
Greg Akins

http://insomnia-consulting.org
http://www.pghcodingdojo.org
http://pittjug.dev.java.net
http://twitter.com/akinsgre
http://www.linkedin.com/in/akinsgre

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Authorization/ Authentication

[Dave Newton <da...@gmail.com>]

(Let me clarify slightly.)

On Mon, Dec 27, 2010 at 8:38 AM, Dave Newton <da...@gmail.com> wrote:

> Why/how did it confuse you? Login shouldn't be /performed/ by an
> interceptor, an interceptor should check if a user has logged in for a given
> resource and if not redirect to a login page.
>
> The /action/ of logging in should be performed by an action.
>
These conditions are satisfied by the code in question: but it's pretty
confusing, and as far as I'm concerned, mixing "action" and "interceptor"
functionality in the same class is questionable organization.

(And hopefully my comment about declaring action-specific interceptors
wasn't confusing; if you define only one for an action, it'll be the *only*
interceptor declared for that action. This means, more or less, that S2 will
cease to function, since most of the good stuff happens via interceptors.)

The underlying login mechanism itself, as pointed out in a previous
response, can be Spring Security (nee Acegi), or basically anything else, as
long as the interceptor can determine if a user has logged in, it doesn't
matter. (Or if login status can be checked in a different way outside of the
S2 framework.)

Dave

Re: Authorization/ Authentication

[Dave Newton <da...@gmail.com>]

Why/how did it confuse you? Login shouldn't be /performed/ by an
interceptor, an interceptor should check if a user has logged in for a given
resource and if not redirect to a login page.

The /action/ of logging in should be performed by an action.

I guess I'm not sure what you're trying to figure out.

Dave
On Dec 27, 2010 7:18 AM, "Greg Akins" <an...@gmail.com> wrote:
> I'm just starting to research the appropriate Struts2 way to do
> Authorization/Authentication.
>
> Looks like a LoginInterceptor on the default stack is the way to go
> (though I found a post at javaranch, by Dave Newton -
>
http://www.coderanch.com/t/438760/Struts/Struts-Authentication-Authorization
> - that confused me a bit).
>
> I'm still Googling for some more information, but if anyone could
> point me to a specific resource it would be greatly appreciated.
>
> Thanks!
>
> --
> Greg Akins
>
> http://insomnia-consulting.org
> http://www.pghcodingdojo.org
> http://pittjug.dev.java.net
> http://twitter.com/akinsgre
> http://www.linkedin.com/in/akinsgre
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>

Re: Authorization/ Authentication

[Brian Thompson <el...@gmail.com>]

Personally, I'd lean towards having showSales.action always show a report
specific to the current user.

Then the manager wouldn't click on showSales.action.  She'd click on
showSalesSummary.action which would have a completely customized query.

-Brian



On Tue, Dec 28, 2010 at 3:25 PM, <st...@gmail.com> wrote:

> Dave is right in that there are truly a dozen ways to do this.  However,
> Struts does not have an out-of-the-box solution governing user/role level
> permissions.  Does your company have a user user based permissions system
> in
> house today where permissions are determined according to the user logged
> in?  You should be able to latch into it with a Struts 2 interceptor and do
> with the requests only what is authorized.  I worked in a shop that
> integrated a home-grown LDAP back end security system via a Struts 2
> interceptor where the specific URL was a feature that a user had to be
> specifically authorized to.  I thought it was crazy, however, if you want
> short employees to only access short reports while tall employees can run
> slightly longer reports, you sort of have to bite the bullet somewhere.
>
> Peace,
> Scott
>
> On Tue, Dec 28, 2010 at 11:49 AM, Amol Ghotankar <ghotankarua50@gmail.com
> >wrote:
>
> > I can elaborate on the requirement as follows,
> >
> > Assume a simple action which is authorized to be called by sales dept
> > people
> > only. i.e showSales.action
> >
> > When a user from purchase dept tries to call this action then, an
> > interceptors will check whether the user in role has the authorization to
> > access or not and deny access to purchase dept user to access this action
> > this is simple.
> >
> > I have implemented this using before advice of Spring AOP rather than
> > interceptor. I hope i am not wrong?
> >
> > But the bigger problem is
> >
> > By how much, I mean for eg. if an *sales execute *logs in and clicks
> > showSales.action then he must be get view of his own sales list, but
> > when *sales
> > manager* logs in and calls same action i.e showSales.action then he must
> > get
> > more* bigger n wider list, which can be union of data from all sales
> > executives.
> >
> > Here authorization of some kind must be implemented which intercepts
> DAO's
> > and automatically sets the "where clause" in the sql query.
> >
> > I tried before advice of spring for DAO's also but problem is if where
> > clause is set somewhere within business logic then double where clause is
> > set which gives error and because I am using hibernate criteria's to set
> > restrictions on queries I have noticed this hibernate critera's are
> > immutable* (Is there anyway to change them?)
> >
> >
> > what should be the best way to solve this problem. Any Design Pattern
> > or s*omething
> > in struts that can help me here* or something other advice for it?
> >
> >
> >
> >
> > On Tue, Dec 28, 2010 at 10:01 PM, Dave Newton <da...@gmail.com>
> > wrote:
> >
> > > On Tue, Dec 28, 2010 at 11:10 AM, Amol Ghotankar <
> > ghotankarua50@gmail.com
> > > >wrote:
> > >
> > > > Even I am searching for some better way in which authentication can
> be
> > > done
> > > > using struts2 or spring security toghether.
> > > >
> > > > No direct or simple example to explain it working together.
> > > >
> > > > Specially for these two cases where
> > > >
> > > > 1. which user can access which action,  is stored in database ->
> > > > authorization table
> > > > 2. which user can access how much data from a table in database,  is
> > > > decided
> > > > by authorization logic.
> > > >
> > > > How to implement this any example or references welcomed.
> > > >
> > >
> > > There are essentially unlimited ways this can be implemented.
> > >
> > > It also depends what technology you want to use. I haven't used Spring
> > > Security for some time, so I won't be much help there, but I *do* know
> > it's
> > > incredibly granular and flexible, occasionally a bit too much so for my
> > > taste, but it can be made to look simple.
> > >
> > > "How much" data can be accessed has multiple meanings: do you mean
> > > *quantity* of data? I've never even considered trying to implement
> that.
> > > *Which* data would be handled the same way as everything else, however
> > it's
> > > being handled.
> > >
> > > When I've dealt with legacy authentication mechanisms I usually just do
> > > something like a filter/interceptor that checks the action for an
> > > annotation
> > > (or a known action method naming convention to map action method =>
> > access
> > > control). After the user logs in their user info is available in the
> > > session, and if they're allowed access the interceptor just moves
> along,
> > > and
> > > if they're not, they're redirected somewhere reasonable.
> > >
> > > For Spring Security stuff I would refer you to the Spring
> documentation,
> > > since it's not directly related to Struts 2.
> > >
> > > Dave
> > >
> >
> >
> >
> > --
> >
> >
> > With Best Regards,
> >
> > Amol Ghotankar
> > Cursive Technologies Pvt. Ltd.
> > www.cursivetech.com
> >
>

Re: Authorization/ Authentication

[st...@gmail.com]

Dave is right in that there are truly a dozen ways to do this.  However,
Struts does not have an out-of-the-box solution governing user/role level
permissions.  Does your company have a user user based permissions system in
house today where permissions are determined according to the user logged
in?  You should be able to latch into it with a Struts 2 interceptor and do
with the requests only what is authorized.  I worked in a shop that
integrated a home-grown LDAP back end security system via a Struts 2
interceptor where the specific URL was a feature that a user had to be
specifically authorized to.  I thought it was crazy, however, if you want
short employees to only access short reports while tall employees can run
slightly longer reports, you sort of have to bite the bullet somewhere.

Peace,
Scott

On Tue, Dec 28, 2010 at 11:49 AM, Amol Ghotankar <gh...@gmail.com>wrote:

> I can elaborate on the requirement as follows,
>
> Assume a simple action which is authorized to be called by sales dept
> people
> only. i.e showSales.action
>
> When a user from purchase dept tries to call this action then, an
> interceptors will check whether the user in role has the authorization to
> access or not and deny access to purchase dept user to access this action
> this is simple.
>
> I have implemented this using before advice of Spring AOP rather than
> interceptor. I hope i am not wrong?
>
> But the bigger problem is
>
> By how much, I mean for eg. if an *sales execute *logs in and clicks
> showSales.action then he must be get view of his own sales list, but
> when *sales
> manager* logs in and calls same action i.e showSales.action then he must
> get
> more* bigger n wider list, which can be union of data from all sales
> executives.
>
> Here authorization of some kind must be implemented which intercepts DAO's
> and automatically sets the "where clause" in the sql query.
>
> I tried before advice of spring for DAO's also but problem is if where
> clause is set somewhere within business logic then double where clause is
> set which gives error and because I am using hibernate criteria's to set
> restrictions on queries I have noticed this hibernate critera's are
> immutable* (Is there anyway to change them?)
>
>
> what should be the best way to solve this problem. Any Design Pattern
> or s*omething
> in struts that can help me here* or something other advice for it?
>
>
>
>
> On Tue, Dec 28, 2010 at 10:01 PM, Dave Newton <da...@gmail.com>
> wrote:
>
> > On Tue, Dec 28, 2010 at 11:10 AM, Amol Ghotankar <
> ghotankarua50@gmail.com
> > >wrote:
> >
> > > Even I am searching for some better way in which authentication can be
> > done
> > > using struts2 or spring security toghether.
> > >
> > > No direct or simple example to explain it working together.
> > >
> > > Specially for these two cases where
> > >
> > > 1. which user can access which action,  is stored in database ->
> > > authorization table
> > > 2. which user can access how much data from a table in database,  is
> > > decided
> > > by authorization logic.
> > >
> > > How to implement this any example or references welcomed.
> > >
> >
> > There are essentially unlimited ways this can be implemented.
> >
> > It also depends what technology you want to use. I haven't used Spring
> > Security for some time, so I won't be much help there, but I *do* know
> it's
> > incredibly granular and flexible, occasionally a bit too much so for my
> > taste, but it can be made to look simple.
> >
> > "How much" data can be accessed has multiple meanings: do you mean
> > *quantity* of data? I've never even considered trying to implement that.
> > *Which* data would be handled the same way as everything else, however
> it's
> > being handled.
> >
> > When I've dealt with legacy authentication mechanisms I usually just do
> > something like a filter/interceptor that checks the action for an
> > annotation
> > (or a known action method naming convention to map action method =>
> access
> > control). After the user logs in their user info is available in the
> > session, and if they're allowed access the interceptor just moves along,
> > and
> > if they're not, they're redirected somewhere reasonable.
> >
> > For Spring Security stuff I would refer you to the Spring documentation,
> > since it's not directly related to Struts 2.
> >
> > Dave
> >
>
>
>
> --
>
>
> With Best Regards,
>
> Amol Ghotankar
> Cursive Technologies Pvt. Ltd.
> www.cursivetech.com
>

Re: Authorization/ Authentication

[Amol Ghotankar <gh...@gmail.com>]

I can elaborate on the requirement as follows,

Assume a simple action which is authorized to be called by sales dept people
only. i.e showSales.action

When a user from purchase dept tries to call this action then, an
interceptors will check whether the user in role has the authorization to
access or not and deny access to purchase dept user to access this action
this is simple.

I have implemented this using before advice of Spring AOP rather than
interceptor. I hope i am not wrong?

But the bigger problem is

By how much, I mean for eg. if an *sales execute *logs in and clicks
showSales.action then he must be get view of his own sales list, but
when *sales
manager* logs in and calls same action i.e showSales.action then he must get
more* bigger n wider list, which can be union of data from all sales
executives.

Here authorization of some kind must be implemented which intercepts DAO's
and automatically sets the "where clause" in the sql query.

I tried before advice of spring for DAO's also but problem is if where
clause is set somewhere within business logic then double where clause is
set which gives error and because I am using hibernate criteria's to set
restrictions on queries I have noticed this hibernate critera's are
immutable* (Is there anyway to change them?)


what should be the best way to solve this problem. Any Design Pattern
or s*omething
in struts that can help me here* or something other advice for it?




On Tue, Dec 28, 2010 at 10:01 PM, Dave Newton <da...@gmail.com> wrote:

> On Tue, Dec 28, 2010 at 11:10 AM, Amol Ghotankar <ghotankarua50@gmail.com
> >wrote:
>
> > Even I am searching for some better way in which authentication can be
> done
> > using struts2 or spring security toghether.
> >
> > No direct or simple example to explain it working together.
> >
> > Specially for these two cases where
> >
> > 1. which user can access which action,  is stored in database ->
> > authorization table
> > 2. which user can access how much data from a table in database,  is
> > decided
> > by authorization logic.
> >
> > How to implement this any example or references welcomed.
> >
>
> There are essentially unlimited ways this can be implemented.
>
> It also depends what technology you want to use. I haven't used Spring
> Security for some time, so I won't be much help there, but I *do* know it's
> incredibly granular and flexible, occasionally a bit too much so for my
> taste, but it can be made to look simple.
>
> "How much" data can be accessed has multiple meanings: do you mean
> *quantity* of data? I've never even considered trying to implement that.
> *Which* data would be handled the same way as everything else, however it's
> being handled.
>
> When I've dealt with legacy authentication mechanisms I usually just do
> something like a filter/interceptor that checks the action for an
> annotation
> (or a known action method naming convention to map action method => access
> control). After the user logs in their user info is available in the
> session, and if they're allowed access the interceptor just moves along,
> and
> if they're not, they're redirected somewhere reasonable.
>
> For Spring Security stuff I would refer you to the Spring documentation,
> since it's not directly related to Struts 2.
>
> Dave
>



-- 


With Best Regards,

Amol Ghotankar
Cursive Technologies Pvt. Ltd.
www.cursivetech.com

Re: Authorization/ Authentication

[Dave Newton <da...@gmail.com>]

On Tue, Dec 28, 2010 at 11:10 AM, Amol Ghotankar <gh...@gmail.com>wrote:

> Even I am searching for some better way in which authentication can be done
> using struts2 or spring security toghether.
>
> No direct or simple example to explain it working together.
>
> Specially for these two cases where
>
> 1. which user can access which action,  is stored in database ->
> authorization table
> 2. which user can access how much data from a table in database,  is
> decided
> by authorization logic.
>
> How to implement this any example or references welcomed.
>

There are essentially unlimited ways this can be implemented.

It also depends what technology you want to use. I haven't used Spring
Security for some time, so I won't be much help there, but I *do* know it's
incredibly granular and flexible, occasionally a bit too much so for my
taste, but it can be made to look simple.

"How much" data can be accessed has multiple meanings: do you mean
*quantity* of data? I've never even considered trying to implement that.
*Which* data would be handled the same way as everything else, however it's
being handled.

When I've dealt with legacy authentication mechanisms I usually just do
something like a filter/interceptor that checks the action for an annotation
(or a known action method naming convention to map action method => access
control). After the user logs in their user info is available in the
session, and if they're allowed access the interceptor just moves along, and
if they're not, they're redirected somewhere reasonable.

For Spring Security stuff I would refer you to the Spring documentation,
since it's not directly related to Struts 2.

Dave

Re: Authorization/ Authentication

[Wendy Smoak <ws...@gmail.com>]

On Tue, Dec 28, 2010 at 11:10 AM, Amol Ghotankar
<gh...@gmail.com> wrote:

> Even I am searching for some better way in which authentication can be done
> using struts2 or spring security toghether.

You might want to look at Codehaus Redback.  Even if you end up not
using it, you might find some ideas there.

(Redback is the role based access control layer used in Apache
Continuum (which is a Struts 2 app.)  There is a webapp overlay which
gives you user creation, log in/out and the ability to set up which
role can do what in your app.)

-- 
Wendy

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Authorization/ Authentication

[Amol Ghotankar <gh...@gmail.com>]

Hello,

Even I am searching for some better way in which authentication can be done
using struts2 or spring security toghether.

No direct or simple example to explain it working together.

Specially for these two cases where

1. which user can access which action,  is stored in database ->
authorization table
2. which user can access how much data from a table in database,  is decided
by authorization logic.

How to implement this any example or references welcomed.




On Mon, Dec 27, 2010 at 7:49 PM, Greg Akins <an...@gmail.com> wrote:

> On Mon, Dec 27, 2010 at 8:36 AM, Jordi Fernandez
> <jo...@esilog.com> wrote:
> > Have you considered Spring Security?
> > http://static.springsource.org/spring-security/site/
>
> No.. I'll have to read a bit more; but my first guess is that I'd have
> to do some refactoring of some legacy code ( I need to use the same
> underlying data / logic to perform AA in another sibling application.
>
> Basically I was wondering what was "built-in" to struts to handle this
> and find out if I can adapt that to my current app
>
> I think all I need to do is write a LoginInterceptor to check for a
> login, and redirect to the login page if the user isn't authenticated.
>  The security for this application is binary so I don't need anything
> additional for Authorization.
>
> Thanks for pointing it out though.. I'll definitely do some research into
> that.
>
> --
> Greg Akins
>
> http://insomnia-consulting.org
> http://www.pghcodingdojo.org
> http://pittjug.dev.java.net
> http://twitter.com/akinsgre
> http://www.linkedin.com/in/akinsgre
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


-- 


With Best Regards,

Amol Ghotankar
Cursive Technologies Pvt. Ltd.
www.cursivetech.com

Re: Authorization/ Authentication

[Greg Akins <an...@gmail.com>]

On Mon, Dec 27, 2010 at 8:36 AM, Jordi Fernandez
<jo...@esilog.com> wrote:
> Have you considered Spring Security?
> http://static.springsource.org/spring-security/site/

No.. I'll have to read a bit more; but my first guess is that I'd have
to do some refactoring of some legacy code ( I need to use the same
underlying data / logic to perform AA in another sibling application.

Basically I was wondering what was "built-in" to struts to handle this
and find out if I can adapt that to my current app

I think all I need to do is write a LoginInterceptor to check for a
login, and redirect to the login page if the user isn't authenticated.
 The security for this application is binary so I don't need anything
additional for Authorization.

Thanks for pointing it out though.. I'll definitely do some research into that.

-- 
Greg Akins

http://insomnia-consulting.org
http://www.pghcodingdojo.org
http://pittjug.dev.java.net
http://twitter.com/akinsgre
http://www.linkedin.com/in/akinsgre

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Authorization/ Authentication

[Jordi Fernandez <jo...@esilog.com>]

Have you considered Spring Security? 
http://static.springsource.org/spring-security/site/

On 27/12/2010 14:17, Greg Akins wrote:
> I'm just starting to research the appropriate Struts2 way to do
> Authorization/Authentication.
>
> Looks like a LoginInterceptor on the default stack is the way to go
> (though I found a post at javaranch, by Dave Newton  -
> http://www.coderanch.com/t/438760/Struts/Struts-Authentication-Authorization
> - that confused me a bit).
>
> I'm still Googling for some more information, but if anyone could
> point me to a specific resource it would be greatly appreciated.
>
> Thanks!
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org