You are viewing a plain text version of this content. The canonical link for it is here.

Posted to taglibs-dev@jakarta.apache.org by david robin <je...@club-internet.fr> on 2002/04/14 16:35:44 UTC

Simple security tags proposal

Hello,
I read in the procedure for adding a new tag library that the first thing to do is to submit the project here so here is what i want to add:
I want to add 2 simple security tags to allow/deny a  user in a certain role to see or not the content between the tag.
Here is an example:

<security:allow  roles="boss">
    <input type="button" value="approve">
</security:allow>

<security:allow   roles="boss;worker">
    <input type="button" value="submit change">
</security:allow>

Or:

<security:deny  roles="worker">
    <input type="button" value="approve">
</security:deny>
    <input type="button" value="submit change">

As you can see it's a very simple couple of tags.
I know that something similar can be done with the <request:IsUserInRole> tag, but there are several reasons to do add these simples security tags :

In one tag you can pass multiples roles.
It makes a clearer code.
It is a very common task in web developpement with tomcat to hide/show some features for a given role.
Grouping security stuff in an other library than the request one make sense.

I read in the archive of this list that a security library was proposed, but it was dealing with groups and permissions.
Maybe these two tags can be added to this project.

I hope i don't have make you waste your time by posting this and that it could be of any interest for someone here.

=====================

David ROBIN

Re: Simple security tags proposal

Posted by david robin <je...@club-internet.fr>.

I repost both the diff and the src.zip, because  I add a few more javadoc
comments.

----- Original Message -----
From: "Glenn Nielsen" <gl...@voyager.apg.more.net>
To: "Tag Libraries Developers List" <ta...@jakarta.apache.org>
Sent: Monday, April 15, 2002 5:31 PM
Subject: Re: Simple security tags proposal


> Thanks for the contribution David.
>
> I'll try to get this reviewed and committed by the
> end of the week.
>
> Regards,
>
> Glenn

Re: Simple security tags proposal

Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.

Thanks for the contribution David.

I'll try to get this reviewed and committed by the
end of the week.

Regards,

Glenn

david robin wrote:
> 
> Sorry,
> this time it should be good.
> I used the EVAL_BODY_TAG instead of EVAL_BODY_INCLUDE for backward
> compatibility with jsp1.1, and I add the necessary  infos in request.jsp and
> request.xml.
> 

----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Simple security tags proposal

Posted by david robin <je...@club-internet.fr>.

Sorry,
this time it should be good.
I used the EVAL_BODY_TAG instead of EVAL_BODY_INCLUDE for backward
compatibility with jsp1.1, and I add the necessary  infos in request.jsp and
request.xml.

Here is the diff:
----------------------------------------------------------------------------
----------
? src/org/apache/taglibs/request/AllowTag.java

? src/org/apache/taglibs/request/DenyTag.java

? src/org/apache/taglibs/request/SecurityTag.java

cvs server: Diffing .

cvs server: Diffing conf

cvs server: Diffing doc

cvs server: Diffing doc/conf

cvs server: Diffing doc/web

cvs server: Diffing examples

cvs server: Diffing examples/conf

cvs server: Diffing examples/web

Index: examples/web/request.jsp

===================================================================

RCS file: /home/cvspublic/jakarta-taglibs/request/examples/web/request.jsp,v

retrieving revision 1.5

diff -u -r1.5 request.jsp

--- examples/web/request.jsp 13 Jul 2001 00:49:36 -0000 1.5

+++ examples/web/request.jsp 15 Apr 2002 15:02:51 -0000

@@ -178,5 +178,13 @@

<req:log>

Test of logging to your servlet context log by the request taglib.

</req:log>

+<br><br>

+<req:allow roles="boss">content accessible only for a user in the boss
role<br></req:allow>

+<req:allow roles="boss,worker">content accessible for a user in the boss
role or in the worker role<br></req:allow>

+<req:allow roles="boss:worker" delim=":">content accessible for a user in
the boss role or in the worker role(test delim)<br></req:allow>

+

+<req:deny roles="boss">content not accessible only for a user in the boss
role<br></req:deny>

+<req:deny roles="boss,worker">content not accessible for a user in the boss
role or in the worker role<br></req:deny>

+<req:deny roles="boss:worker" delim=":">content not accessible for a user
in the boss role or in the worker role(test delim)<br></req:deny>

</body>

</html>

cvs server: Diffing src

cvs server: Diffing src/org

cvs server: Diffing src/org/apache

cvs server: Diffing src/org/apache/taglibs

cvs server: Diffing src/org/apache/taglibs/request

cvs server: Diffing xml

Index: xml/request.xml

===================================================================

RCS file: /home/cvspublic/jakarta-taglibs/request/xml/request.xml,v

retrieving revision 1.9

diff -u -r1.9 request.xml

--- xml/request.xml 15 Apr 2002 00:18:42 -0000 1.9

+++ xml/request.xml 15 Apr 2002 15:02:55 -0000

@@ -57,6 +57,102 @@

</requirements-info>

<tagtoc name="Request Tags">

+ <tag>

+ <name>allow</name>

+ <tag-class>org.apache.taglibs.request.AllowTag</tag-class>

+ <body-content>JSP</body-content>

+ <display-name>allow</display-name>

+

+ <description>

+ Allow access to the content of the tag for a user in one of the specified
roles.

+ </description>

+

+ <summary>Allow access to the content of the tag for a user in one of the
specified roles.</summary>

+ <availability>1.0</availability>

+ <restrictions>None</restrictions>

+ <attribute>

+ <name>roles</name>

+ <required>yes</required>

+ <rtexprvalue>no</rtexprvalue>

+ <description>

+ List of roles allowed to access the tag content.

+ </description>

+ <availability>1.0</availability>

+ </attribute>

+

+ <attribute>

+ <name>delim</name>

+ <required>no</required>

+ <rtexprvalue>no</rtexprvalue>

+ <description>

+ Replace the default roles separator (comma)

+ </description>

+ <availability>1.0</availability>

+ </attribute>

+ <example>

+ <usage>

+ <comment>

+ Simple example using two roles: boss and worker.

+ </comment>

+ <code>

+<![CDATA[

+<req:allow roles="boss">content accessible only for a user in the boss
role</req:allow>

+<req:allow roles="boss,worker">content accessible for a user in the boss
role or in the worker role</req:allow>

+<req:allow roles="boss:worker" delim=":">content accessible for a user in
the boss role or in the worker role(test delim)</req:allow>

+]]>

+ </code>

+ </usage>

+ </example>

+

+ </tag>

+ <tag>

+ <name>deny</name>

+ <tag-class>org.apache.taglibs.request.DenyTag</tag-class>

+ <body-content>JSP</body-content>

+ <display-name>deny</display-name>

+

+ <description>

+ Deny access to the content of the tag for a user in one of the specified
roles.

+ </description>

+

+ <summary>Deny access to the content of the tag for a user in one of the
specified roles.</summary>

+ <availability>1.0</availability>

+ <restrictions>None</restrictions>

+ <attribute>

+ <name>roles</name>

+ <required>yes</required>

+ <rtexprvalue>no</rtexprvalue>

+ <description>

+ List of roles not allowed to access the tag content.

+ </description>

+ <availability>1.0</availability>

+ </attribute>

+

+ <attribute>

+ <name>delim</name>

+ <required>no</required>

+ <rtexprvalue>no</rtexprvalue>

+ <description>

+ Replace the default roles separator (comma)

+ </description>

+ <availability>1.0</availability>

+ </attribute>

+ <example>

+ <usage>

+ <comment>

+ Simple example using two roles: boss and worker.

+ </comment>

+ <code>

+<![CDATA[

+<req:deny roles="boss">content not accessible only for a user in the boss
role</req:deny>

+<req:deny roles="boss,worker">content not accessible for a user in the boss
role or in the worker role</req:deny>

+<req:deny roles="boss:worker" delim=":">content not accessible for a user
in the boss role or in the worker role(test delim)</req:deny>

+]]>

+ </code>

+ </usage>

+ </example>

+

+ </tag>

<tag>

<name>log</name>

<tag-class>org.apache.taglibs.request.LogTag</tag-class>

--------------------------------------------------------

I hope it helps,
David

Re: Simple security tags proposal

Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.

Here is another valuable document that describes the layout
of files and how the ant build system works for taglibs.

http://jakarta.apache.org/taglibs/sourcedist.html

Regards,

Glenn

Glenn Nielsen wrote:
> 
> David,
> 
> Thanks for the submission, but I can't use it as it is.
> The Request taglib must maintain it's JSP 1.1 compatability.
> 
> The less work I have to do, the more likely it is that your
> submission will be imported into CVS.
> 
> Please see the following documentation for adding a tag to
> a tag library.  Then download the entire jakarta-taglibs
> src distribution or check it out anonymously from CVS.
> Follow the directions below and use the ant build system
> to build the taglib with your changes incorporated into
> the build.
> 
> http://jakarta.apache.org/taglibs/addtaglib.html#Addtag
> 
> I not only need the java source which implements the tags,
> but also the diff -u of the supporting files used to build
> the taglib from CVS.
> 
> Please let me know if you have any questions after getting the
> src and reviewing the documenation for adding a tag to an existing
> tag library.
> 
> Thanks,
> 
> Glenn
> 
> david robin wrote:
> >
> > ----- Original Message -----
> > > Glenn Nielsen wrote:
> > > Thats a good idea.  Rather than create a separate tag library, as you
> > said,
> > > it would be appropriate to add these tags to the Request taglib.
> >
> > Ok, i will add this to the request taglib
> >
> > > I would recommend that multiple values for the roles attribute be a list
> > > of comma separated values rather than separated with a semicolon.
> >
> > In fact the semicolon was the default separator I choose, but it can be
> > specified with the delim attribut.
> > ex:
> > <security:allow  roles="boss:worker" delim=":">
> > I changed it in order to that the comma is now the default separator.
> >
> > > If you can submit a patch using diff -u for the request taglib to add
> > these tags,
> > > I will commit it to CVS.
> >
> > I join the result of the diff command to this email.
> > I also join a zip with the source files for the new tags.
> > I used the jsp 1.2 specs (only the EVAL_BODY_INCLUDE constant instead of
> > EVAL_BODY_TAG ).
> >
> > And here are the TLD's new <tag>  elements
> > ---------------------------------
> >    <tag>
> >     <name>allow</name>
> >     <tagclass>org.apache.taglibs.request.AllowTag</tagclass>
> >     <bodycontent>JSP</bodycontent>
> >     <info>
> >      Allow access to the content of the tag for a user in one of the
> > specified roles
> >     </info>
> >  <attribute>
> >   <name>roles</name>
> >   <required>true</required>
> >  </attribute>
> >     <attribute>
> >   <name>delim</name>
> >   <required>false</required>
> >  </attribute>
> >   </tag>
> >      <tag>
> >     <name>deny</name>
> >     <tagclass>org.apache.taglibs.request.DenyTag</tagclass>
> >     <bodycontent>JSP</bodycontent>
> >     <info>
> >      Deny access to the content of the tag for a user in one of the
> > specified roles
> >     </info>
> >  <attribute>
> >   <name>roles</name>
> >   <required>true</required>
> >  </attribute>
> >     <attribute>
> >   <name>delim</name>
> >   <required>false</required>
> >  </attribute>
> >   </tag>
> > ----------------------------------------------------------------------
> >
> > I hope this what you where expecting from me Glenn, because I am not
> > familiar with the correct way to add a new tag.
> > If something is wrong/missing just let me know.
> > ===============================
> > David Robin
> >
> >   ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> >                Name: diff.txt
> >    diff.txt    Type: Plain Text (text/plain)
> >            Encoding: 7bit
> >
> >               Name: src.zip
> >    src.zip    Type: Zip Compressed Data (application/x-zip-compressed)
> >           Encoding: base64
> >
> >   ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > --
> > To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> > For additional commands, e-mail: <ma...@jakarta.apache.org>
> 
> --
> ----------------------------------------------------------------------
> Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
> MOREnet System Programming               |  * if iz ina coment.      |
> Missouri Research and Education Network  |  */                       |
> ----------------------------------------------------------------------
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Simple security tags proposal

Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.

David,

Thanks for the submission, but I can't use it as it is.
The Request taglib must maintain it's JSP 1.1 compatability.

The less work I have to do, the more likely it is that your
submission will be imported into CVS.

Please see the following documentation for adding a tag to
a tag library.  Then download the entire jakarta-taglibs
src distribution or check it out anonymously from CVS.
Follow the directions below and use the ant build system
to build the taglib with your changes incorporated into
the build.

http://jakarta.apache.org/taglibs/addtaglib.html#Addtag

I not only need the java source which implements the tags,
but also the diff -u of the supporting files used to build
the taglib from CVS.

Please let me know if you have any questions after getting the
src and reviewing the documenation for adding a tag to an existing
tag library.

Thanks,

Glenn

david robin wrote:
> 
> ----- Original Message -----
> > Glenn Nielsen wrote:
> > Thats a good idea.  Rather than create a separate tag library, as you
> said,
> > it would be appropriate to add these tags to the Request taglib.
> 
> Ok, i will add this to the request taglib
> 
> > I would recommend that multiple values for the roles attribute be a list
> > of comma separated values rather than separated with a semicolon.
> 
> In fact the semicolon was the default separator I choose, but it can be
> specified with the delim attribut.
> ex:
> <security:allow  roles="boss:worker" delim=":">
> I changed it in order to that the comma is now the default separator.
> 
> > If you can submit a patch using diff -u for the request taglib to add
> these tags,
> > I will commit it to CVS.
> 
> I join the result of the diff command to this email.
> I also join a zip with the source files for the new tags.
> I used the jsp 1.2 specs (only the EVAL_BODY_INCLUDE constant instead of
> EVAL_BODY_TAG ).
> 
> And here are the TLD's new <tag>  elements
> ---------------------------------
>    <tag>
>     <name>allow</name>
>     <tagclass>org.apache.taglibs.request.AllowTag</tagclass>
>     <bodycontent>JSP</bodycontent>
>     <info>
>      Allow access to the content of the tag for a user in one of the
> specified roles
>     </info>
>  <attribute>
>   <name>roles</name>
>   <required>true</required>
>  </attribute>
>     <attribute>
>   <name>delim</name>
>   <required>false</required>
>  </attribute>
>   </tag>
>      <tag>
>     <name>deny</name>
>     <tagclass>org.apache.taglibs.request.DenyTag</tagclass>
>     <bodycontent>JSP</bodycontent>
>     <info>
>      Deny access to the content of the tag for a user in one of the
> specified roles
>     </info>
>  <attribute>
>   <name>roles</name>
>   <required>true</required>
>  </attribute>
>     <attribute>
>   <name>delim</name>
>   <required>false</required>
>  </attribute>
>   </tag>
> ----------------------------------------------------------------------
> 
> I hope this what you where expecting from me Glenn, because I am not
> familiar with the correct way to add a new tag.
> If something is wrong/missing just let me know.
> ===============================
> David Robin
> 
>   ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>                Name: diff.txt
>    diff.txt    Type: Plain Text (text/plain)
>            Encoding: 7bit
> 
>               Name: src.zip
>    src.zip    Type: Zip Compressed Data (application/x-zip-compressed)
>           Encoding: base64
> 
>   ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Simple security tags proposal

Posted by david robin <je...@club-internet.fr>.

----- Original Message -----
> Glenn Nielsen wrote:
> Thats a good idea.  Rather than create a separate tag library, as you
said,
> it would be appropriate to add these tags to the Request taglib.

Ok, i will add this to the request taglib

> I would recommend that multiple values for the roles attribute be a list
> of comma separated values rather than separated with a semicolon.

In fact the semicolon was the default separator I choose, but it can be
specified with the delim attribut.
ex:
<security:allow  roles="boss:worker" delim=":">
I changed it in order to that the comma is now the default separator.

> If you can submit a patch using diff -u for the request taglib to add
these tags,
> I will commit it to CVS.

I join the result of the diff command to this email.
I also join a zip with the source files for the new tags.
I used the jsp 1.2 specs (only the EVAL_BODY_INCLUDE constant instead of
EVAL_BODY_TAG ).

And here are the TLD's new <tag>  elements
---------------------------------
   <tag>
    <name>allow</name>
    <tagclass>org.apache.taglibs.request.AllowTag</tagclass>
    <bodycontent>JSP</bodycontent>
    <info>
     Allow access to the content of the tag for a user in one of the
specified roles
    </info>
 <attribute>
  <name>roles</name>
  <required>true</required>
 </attribute>
    <attribute>
  <name>delim</name>
  <required>false</required>
 </attribute>
  </tag>
     <tag>
    <name>deny</name>
    <tagclass>org.apache.taglibs.request.DenyTag</tagclass>
    <bodycontent>JSP</bodycontent>
    <info>
     Deny access to the content of the tag for a user in one of the
specified roles
    </info>
 <attribute>
  <name>roles</name>
  <required>true</required>
 </attribute>
    <attribute>
  <name>delim</name>
  <required>false</required>
 </attribute>
  </tag>
----------------------------------------------------------------------

I hope this what you where expecting from me Glenn, because I am not
familiar with the correct way to add a new tag.
If something is wrong/missing just let me know.
===============================
David Robin