You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Michael Lee <ml...@hotmail.com> on 2002/08/26 18:21:12 UTC
j_security_check, jaas and weblogic 6.1
I have to do security for the company I am at. I have never used
j_security_check, jaas or weblogic 6.1 RDBMS (we have a database for
authentication/authorization). I read all through the examples on
j_security_check, jaas and WLS RDBMS out there I could get my hands on.
There seems to be no good real world examples of how to tie all these
together. The reason I'm having an issue is struts is the middle man, the
controller so he is key to it all. I know i configure j_security_check in my
web.xml to point to use form authentication, i know all about deployment
descriptor configuration for ejb, war, etc. This is not the problem. I don't
see how JAAS fits into j_security_check? I also dont see how struts fits
into it either? Do I need to also add a login.do? I need to get the locale
for the user from the database and figured I would do this at the login.
JAAS wants LoginContext.login(), most j2ee say j_security_check and struts
examples have login.do (this is the way I've typically done it).
Help! I can't find any real world examples to tie all these together!
thanks!
Mike Lee
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: j_security_check, jaas and weblogic 6.1
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Mon, 26 Aug 2002, Michael Lee wrote:
> Date: Mon, 26 Aug 2002 14:29:44 -0400
> From: Michael Lee <ml...@hotmail.com>
> Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>
> To: Struts Users Mailing List <st...@jakarta.apache.org>
> Subject: Re: j_security_check, jaas and weblogic 6.1
>
> Thank you! You are the ONLY place I've heard this! Now everything seems to
> make more sense.
>
> I was just going to use j_security_check hooked into Weblogic RDBMS and put
> the user in the session for authentication from there on in (JNDI security
> to EJB). So this looks like the right path?
>
If BEA did things correctly, you shouldn't have to do anything special
about saving the user in the session for EJB authentication -- the same
user identity should be carried over automatically.
> No offense, but is this right? BEA recommends you use JAAS all over the
> place. I'm mainly going to use ACL in the deployment descriptors for my web
> app and ejbs. I also noticed that almost all JAAS implementations were at
> the java client layer. Few were servlets, etc. This would make sense with
> what your saying because no container would exist at a pure java client
> layer (such as with the JAAS RMI example that comes with weblogic).
>
JAAS is what I'd use if I was writing the back end of WebLogic's servlet
container. But web applications that run inside the container should not
have to know anything about it. As you note, client apps don't have that
kind of container support, so a "roll your own" solution based on JAAS
makes more sense there.
> BTW, EXCELLENT job with struts Craig and team. I have 2 systems IN
> PRODUCTION! using struts. They wrote one at the job I'm at and I recommended
> struts to replace it. We are now going full steam ahead with struts!
> thanks,
> Mike Lee
>
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: j_security_check, jaas and weblogic 6.1
Posted by Michael Lee <ml...@hotmail.com>.
Thank you! You are the ONLY place I've heard this! Now everything seems to
make more sense.
I was just going to use j_security_check hooked into Weblogic RDBMS and put
the user in the session for authentication from there on in (JNDI security
to EJB). So this looks like the right path?
No offense, but is this right? BEA recommends you use JAAS all over the
place. I'm mainly going to use ACL in the deployment descriptors for my web
app and ejbs. I also noticed that almost all JAAS implementations were at
the java client layer. Few were servlets, etc. This would make sense with
what your saying because no container would exist at a pure java client
layer (such as with the JAAS RMI example that comes with weblogic).
BTW, EXCELLENT job with struts Craig and team. I have 2 systems IN
PRODUCTION! using struts. They wrote one at the job I'm at and I recommended
struts to replace it. We are now going full steam ahead with struts!
thanks,
Mike Lee
----- Original Message -----
From: "Craig R. McClanahan" <cr...@apache.org>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Monday, August 26, 2002 12:52 PM
Subject: Re: j_security_check, jaas and weblogic 6.1
> JAAS is not relevant if you're using container-managed security. You'll
> need to set up users in whatever user database your container (WebLogic in
> your case) provides. Struts also has nothing to do with this -- although
> you can use role information with tags like <logic:present> or the "roles"
> attribute on an <action> if you want to.
>
> JAAS would only be relevant if you wanted to do application-managed
> security instead, or if you were implementing the container itself.
>
> Craig
>
>
> On Mon, 26 Aug 2002, Michael Lee wrote:
>
> > Date: Mon, 26 Aug 2002 12:21:12 -0400
> > From: Michael Lee <ml...@hotmail.com>
> > Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>
> > To: Struts Users Mailing List <st...@jakarta.apache.org>
> > Subject: j_security_check, jaas and weblogic 6.1
> >
> > I have to do security for the company I am at. I have never used
> > j_security_check, jaas or weblogic 6.1 RDBMS (we have a database for
> > authentication/authorization). I read all through the examples on
> > j_security_check, jaas and WLS RDBMS out there I could get my hands on.
> > There seems to be no good real world examples of how to tie all these
> > together. The reason I'm having an issue is struts is the middle man,
the
> > controller so he is key to it all. I know i configure j_security_check
in my
> > web.xml to point to use form authentication, i know all about deployment
> > descriptor configuration for ejb, war, etc. This is not the problem. I
don't
> > see how JAAS fits into j_security_check? I also dont see how struts fits
> > into it either? Do I need to also add a login.do? I need to get the
locale
> > for the user from the database and figured I would do this at the login.
> > JAAS wants LoginContext.login(), most j2ee say j_security_check and
struts
> > examples have login.do (this is the way I've typically done it).
> > Help! I can't find any real world examples to tie all these together!
> > thanks!
> > Mike Lee
> >
> > --
> > To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> > For additional commands, e-mail:
<ma...@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: j_security_check, jaas and weblogic 6.1
Posted by "Craig R. McClanahan" <cr...@apache.org>.
JAAS is not relevant if you're using container-managed security. You'll
need to set up users in whatever user database your container (WebLogic in
your case) provides. Struts also has nothing to do with this -- although
you can use role information with tags like <logic:present> or the "roles"
attribute on an <action> if you want to.
JAAS would only be relevant if you wanted to do application-managed
security instead, or if you were implementing the container itself.
Craig
On Mon, 26 Aug 2002, Michael Lee wrote:
> Date: Mon, 26 Aug 2002 12:21:12 -0400
> From: Michael Lee <ml...@hotmail.com>
> Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>
> To: Struts Users Mailing List <st...@jakarta.apache.org>
> Subject: j_security_check, jaas and weblogic 6.1
>
> I have to do security for the company I am at. I have never used
> j_security_check, jaas or weblogic 6.1 RDBMS (we have a database for
> authentication/authorization). I read all through the examples on
> j_security_check, jaas and WLS RDBMS out there I could get my hands on.
> There seems to be no good real world examples of how to tie all these
> together. The reason I'm having an issue is struts is the middle man, the
> controller so he is key to it all. I know i configure j_security_check in my
> web.xml to point to use form authentication, i know all about deployment
> descriptor configuration for ejb, war, etc. This is not the problem. I don't
> see how JAAS fits into j_security_check? I also dont see how struts fits
> into it either? Do I need to also add a login.do? I need to get the locale
> for the user from the database and figured I would do this at the login.
> JAAS wants LoginContext.login(), most j2ee say j_security_check and struts
> examples have login.do (this is the way I've typically done it).
> Help! I can't find any real world examples to tie all these together!
> thanks!
> Mike Lee
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>