You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Martin Naskovski <mn...@san.rr.com> on 2003/06/07 01:57:08 UTC
tag - how to specify permissions (on top of roles)?
Hi all - I have the following issue w/Struts' (or maybe even the Servlet
API) role-based security model.
If I had something like this in a JSP:
<logic:present roles="user, admin">
show an input field to change your password
</logic>
how can I - within the current confines of Struts (1.1) and the Servlet API
(2.3), instead of hardcoding the roles in the JSP (user, admin) where a
password change field (or some other common function across a set of roles)
is presented, do something like the following:
<logic:present permission="changePassword">
show an input field to change your password
</logic:present>
I know the "permission" attribute currently does not exist, however, IMHO,
this (permissions based on roles) is a very valid concept. So, instead of
defining a "changePassword" _role_, I would have a 'changePassword'
permission, which would be shared among a number of roles. Clearly, being
an admin or a user is a _role_ whereas changing a password is a permission
(or a functionality or a function...)
I don't see anything of this nature that would facilitate this in Struts,
or Resin, which is what we are using to do our development... So I'm
wondering, has someone else encountered a this issue and how did they
resolve it?
Does JAAS alleviate some of this? Does it apply to Resin 2.1.x somehow?
Thank you.
Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: tag - how to specify permissions (on top of roles)?
Posted by Mick Knutson <mi...@hotmail.com>.
I have actually been trying this to show or hide certain buttons. But I keep
getting an error
[ServletException in:/WEB-INF/default/body/medical/medicalHistory.view.jsp]
/WEB-INF/default/body/medical/allergies.view.jsp(140,4) Attribute roles
invalid according to the specified TLD'
org.apache.jasper.compiler.CompileException:
/WEB-INF/default/body/medical/allergies.view.jsp(140,4) Attribute roles
invalid according to the specified TLD at
org.apache.jasper.compiler.TagBeginGenerator.validate............
Can someone please help me to get a functionality like this:
<logic:present roles="gold, platinum">
<html:submit property="action" styleClass="form_button">
<bean:message key="button.edit"/>
</html:submit>
</logic:present>
---
Thanks
Mick Knutson
The world is a playground...Play Hard, Play Smart.
Visit http://www.YourSoS.com to learn how our "Personal Emergency Alert &
Contact System" can help you Play Smart.
+00 1 (708) 570-2772 Fax
MSN: mickknutson
ICQ: 316498480
ICQ URL: http://wwp.icq.com/316498480
---
----- Original Message -----
From: "Craig R. McClanahan" <cr...@apache.org>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>; "Martin
Naskovski" <mn...@san.rr.com>
Sent: Friday, June 06, 2003 10:28 PM
Subject: Re: <logic:present roles="..."> tag - how to specify permissions
(on top of roles)?
> On Fri, 6 Jun 2003, Martin Naskovski wrote:
>
> > Date: Fri, 6 Jun 2003 16:57:08 -0700
> > From: Martin Naskovski <mn...@san.rr.com>
> > Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>,
> > Martin Naskovski <mn...@san.rr.com>
> > To: struts-user@jakarta.apache.org
> > Subject: <logic:present roles="..."> tag - how to specify permissions
(on
> > top of roles)?
> >
> > Hi all - I have the following issue w/Struts' (or maybe even the Servlet
> > API) role-based security model.
> >
> > If I had something like this in a JSP:
> >
> > <logic:present roles="user, admin">
> > show an input field to change your password
> > </logic>
> >
> > how can I - within the current confines of Struts (1.1) and the Servlet
API
> > (2.3), instead of hardcoding the roles in the JSP (user, admin) where a
> > password change field (or some other common function across a set of
roles)
> > is presented, do something like the following:
> >
> > <logic:present permission="changePassword">
> > show an input field to change your password
> > </logic:present>
> >
> > I know the "permission" attribute currently does not exist, however,
IMHO,
> > this (permissions based on roles) is a very valid concept. So, instead
of
> > defining a "changePassword" _role_, I would have a 'changePassword'
> > permission, which would be shared among a number of roles. Clearly,
being
> > an admin or a user is a _role_ whereas changing a password is a
permission
> > (or a functionality or a function...)
> >
> > I don't see anything of this nature that would facilitate this in
Struts,
> > or Resin, which is what we are using to do our development... So I'm
> > wondering, has someone else encountered a this issue and how did they
> > resolve it?
> >
> > Does JAAS alleviate some of this? Does it apply to Resin 2.1.x somehow?
> >
>
> JAAS doesn't have anything to do with this -- however, there is a
> little-known feature of container-managed authorization that should help
> you out in at least *some* of these use cases -- role links.
>
> The basic idea is that an application "hard codes" it's own notion of what
> role identifiers mean; but it turns out that the server you are deploying
> onto has a different meaining for those things. To solve this, you can
> tweak the web.xml file with an element like this, inside the <servlet>
> element for ActionServlet:
>
> <servlet>
> <servlet-name>Struts Controller Servlet</servlet-name>
> <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
> ...
> <security-role-ref>
> <role-name>foo</role-name>
> <role-link>bar</role-link>
> </security-role-ref>
> </servlet>
>
> What this means, essentially, is that "if the Struts Controller Servlet
> asks if a user has role "foo", the container should really check for role
> "bar" instead. Using this, adapting the differences between how an
> application is coded and how the security infrastructure is really set up
> is not a problem.
>
> Note that security roles are defined on a per-servlet basis, so the above
> setting covers any checks of roles by the Struts Controller Servlet
> itself (and that means it covers checking the "role" attribute of <action>
> elements). If you want to use things like <logic:present role="foo"> in
> your JSP pages, you'll need to define individual <servlet> elements for
> them as well.
>
>
> > Thank you.
> > Martin
>
> Craig
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: tag - how to specify permissions
(on top of roles)?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 6 Jun 2003, Martin Naskovski wrote:
> Date: Fri, 6 Jun 2003 16:57:08 -0700
> From: Martin Naskovski <mn...@san.rr.com>
> Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>,
> Martin Naskovski <mn...@san.rr.com>
> To: struts-user@jakarta.apache.org
> Subject: <logic:present roles="..."> tag - how to specify permissions (on
> top of roles)?
>
> Hi all - I have the following issue w/Struts' (or maybe even the Servlet
> API) role-based security model.
>
> If I had something like this in a JSP:
>
> <logic:present roles="user, admin">
> show an input field to change your password
> </logic>
>
> how can I - within the current confines of Struts (1.1) and the Servlet API
> (2.3), instead of hardcoding the roles in the JSP (user, admin) where a
> password change field (or some other common function across a set of roles)
> is presented, do something like the following:
>
> <logic:present permission="changePassword">
> show an input field to change your password
> </logic:present>
>
> I know the "permission" attribute currently does not exist, however, IMHO,
> this (permissions based on roles) is a very valid concept. So, instead of
> defining a "changePassword" _role_, I would have a 'changePassword'
> permission, which would be shared among a number of roles. Clearly, being
> an admin or a user is a _role_ whereas changing a password is a permission
> (or a functionality or a function...)
>
> I don't see anything of this nature that would facilitate this in Struts,
> or Resin, which is what we are using to do our development... So I'm
> wondering, has someone else encountered a this issue and how did they
> resolve it?
>
> Does JAAS alleviate some of this? Does it apply to Resin 2.1.x somehow?
>
JAAS doesn't have anything to do with this -- however, there is a
little-known feature of container-managed authorization that should help
you out in at least *some* of these use cases -- role links.
The basic idea is that an application "hard codes" it's own notion of what
role identifiers mean; but it turns out that the server you are deploying
onto has a different meaining for those things. To solve this, you can
tweak the web.xml file with an element like this, inside the <servlet>
element for ActionServlet:
<servlet>
<servlet-name>Struts Controller Servlet</servlet-name>
<servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
...
<security-role-ref>
<role-name>foo</role-name>
<role-link>bar</role-link>
</security-role-ref>
</servlet>
What this means, essentially, is that "if the Struts Controller Servlet
asks if a user has role "foo", the container should really check for role
"bar" instead. Using this, adapting the differences between how an
application is coded and how the security infrastructure is really set up
is not a problem.
Note that security roles are defined on a per-servlet basis, so the above
setting covers any checks of roles by the Struts Controller Servlet
itself (and that means it covers checking the "role" attribute of <action>
elements). If you want to use things like <logic:present role="foo"> in
your JSP pages, you'll need to define individual <servlet> elements for
them as well.
> Thank you.
> Martin
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org