You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Fisher Trent <ol...@yahoo.com> on 2003/05/28 02:42:38 UTC
programmatic security w/o JAAS?
This seems like a possiblity to me, but let me
elaborate.
95% of the security for my application will be
utilizing the concept of Role properties on
ActionMapping objects to limit access to the protected
resource. (this would be declaritive if I'm not
mistaken).
The other 5% of my security involves showing/hiding
links on certain pages based on the user's role (ex:
only show the link to the Admin menu if the user has
the Administrator role). That task I would assume
would be accomplished using the code:
<logic:present role="Admin">
... show links only a Admin should see ...
</logic:present>
My question is, if I want to perform minimal
programmatic checks such as above, what is the
generally accepted token that the logic should check
in session? If the login ActionForm is placed into
session as the "User Object", then that wouldn't
necessarily contain a "Role" attribute and that would
have to be somewhere else?
Thanks in advance
__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: programmatic security w/o JAAS?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 27 May 2003, Fisher Trent wrote:
> Date: Tue, 27 May 2003 17:42:38 -0700 (PDT)
> From: Fisher Trent <ol...@yahoo.com>
> Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>
> To: struts-user@jakarta.apache.org
> Subject: programmatic security w/o JAAS?
>
> This seems like a possiblity to me, but let me
> elaborate.
>
> 95% of the security for my application will be
> utilizing the concept of Role properties on
> ActionMapping objects to limit access to the protected
> resource. (this would be declaritive if I'm not
> mistaken).
>
I would call that declarative ... but I'd say the same thing about
<security-constraint> elements in web.xml ...
> The other 5% of my security involves showing/hiding
> links on certain pages based on the user's role (ex:
> only show the link to the Admin menu if the user has
> the Administrator role). That task I would assume
> would be accomplished using the code:
>
> <logic:present role="Admin">
> ... show links only a Admin should see ...
> </logic:present>
>
> My question is, if I want to perform minimal
> programmatic checks such as above, what is the
> generally accepted token that the logic should check
> in session? If the login ActionForm is placed into
> session as the "User Object", then that wouldn't
> necessarily contain a "Role" attribute and that would
> have to be somewhere else?
>
If you are using container managed security, there is no such thing as a
standard "user object". The only thing you've got to work with are the
calls request.getRemoteUser(), request.getUserPrincipal(), and
request.isUserInRole(). The last one is what the <logic:present
role="..."/> tag uses.
Even if there was such an object, of course, you'd still have to check a
particular property on it, so it'd be just as much code in your pages to
check some property of some specific user object. Is something like this:
<logic:equals name="userObject" property="role" value="Admin">
... show links only a Admin should see ...
</logic:equals>
really any less code than the <logic:present> test you showed above?
> Thanks in advance
>
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org