Re: REST plugin and security
On Dec 14, 2007 8:28 PM, Martin Gilday [EMAIL PROTECTED] wrote: Hi Don, I think we are using WS-Security, but I have not been too involved in it. I just wanted to confirm that a reasonable equivalent was available. There is no full equivalent for WS-Security, but you can accomplish many of the same things using built-in HTTP features. Is it possible with the S2 plugin to do one of the classical examples of getting resources by date e.g. /orders/2007/12/13. It would be great if you could map that onto something like a Joda MutableDateTime. From the wiki you just seem to be able to have a single ID parameter set on your action. I really like the Django approach of a mapping script where you define regex expressions which map onto functions with all the defined parameter placeholders. No, at this point, you can't include anything with a slash. Well, you can, but it'll have to be created using normal XWork configuration and perhaps a few wildcards. Don Martin. - Original message - From: Don Brown [EMAIL PROTECTED] To: Struts Users Mailing List user@struts.apache.org Date: Fri, 14 Dec 2007 09:48:03 +1100 Subject: Re: REST plugin and security If you are putting username and password in the soap headers, why not just use basic authentication for your REST services, which basically does the same thing? If over the wire security is a problem, use HTTPS. Don On Dec 14, 2007 1:44 AM, Martin Gilday [EMAIL PROTECTED] wrote: Hi, We are interested in using the REST plugin to extend customer choice and complement our WS-* services. We are particularly interested in the multiple response types (.xml, .json etc). One thing I am not sure of is how we handle security. Say we have an order (/order/1234.xml), how can we protect this so this is only available to the owner of the order? In our current system they would provide their username and password in the soap security headers. We use Acegi/Spring Security. This is probably more of a general REST issue, but I am interested in if the plugin helps out at all. Thanks, Martin. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts][2.0.11] optiontransferselect limit?
good call dale!
http://freemarker.org/docs/ref_builtins_expert.html
implementing has_content will definitely detect no content condition
without consulting gray's anatomy for 'systemic' I cant say if this is
related to 'aortic' maladies rather than pulmonary?
but thats a topic for another day..
Thanks
Martin--
- Original Message -
From: Dale Newfield [EMAIL PROTECTED]
To: Struts Users Mailing List user@struts.apache.org
Sent: Saturday, December 15, 2007 11:12 PM
Subject: Re: [struts][2.0.11] optiontransferselect limit?
Dale Newfield wrote:
Martin Gainty wrote:
this is the applicable code in my copy of optiontransferselect.ftl
Thanks for making me look at this--it led me straight to my problem!
So we know there is a problem with the freemarker libraries, and that
it's either in ?exists, or stack.findString(), or in the assumption that
the first being true implies the second will always produce a valid
result. Is it true that if it has a value that value must be
extractable as a string? The freemarker docs suggest that maybe
?has_content would be better than ?exists ...
This rational is almost right, but has a big hole. We're asking whether
the tag has a parameter set, and then assuming the data has not null for
that attribute. I indeed had a piece of data with null for that value,
which caused my problem. Since that attribute was derived, I was able
to modify my model object to return in that case instead of null, and
I'm golden. I might suggest this alteration to the .ftl file, though:
#if parameters.doubleListValue?exists#t/
+ #if
stack.findString(parameters.doubleListValue)?has_content#t/
#assign doubleItemValue =
stack.findString(parameters.doubleListValue) /#t/
+ /#if#t/
#else#t/
#assign doubleItemValue = stack.findString('top') /#t/
/#if#t/
Now I don't have to change interfaces for large groups! Yay! Thanks!
-Dale
P.S.: I shoulda known that 1124 was not a magic enough number to be a
systemic problem--that number should have led me to look at my data
sooner :-/.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Using JAAS with Struts2
Janesh on 14/12/07 06:40, wrote: I want to use JAAS with Struts2 for our web application (which runs on Tomcat 5.x). Can you please give me some knowhow in this regard? Janesh, JAAS and Struts2 have no direct coupling. You can set up your webserver to use JAAS for the container-managed security, or you can set up your chosen other security framework such as Acegi to use JAAS, but Struts2 will interface with that other security framework, not directly with JAAS. The security implementation in Struts2 is covered a little here: http://struts.apache.org/2.x/docs/how-do-i-obtain-security-details-jaas.html but that's not just JAAS, it could be any security framework. HTH Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
xwork 2.1 changes?
Attempting to upgrade to 2.1 to finish my optiontransferselect testing (in 2.0.11 the select all before submit is implemented by dojo, which I'm not using, so I'm still not quite done--when I am I'll post any appropriate .ftl changes to JIRA.) Is there a better list to ask about xwork changes? Changeset 1608: Merging the no-statics branch into 2.1 trunk. Consists of * OGNL API separation so that the EL could be replaced * Rid of almost all static state, preferring dep injection * Rid of static factories, again in favor of dep injection * Better use of dep injection library (bootstrap phase) So I replaced a few places (a service class, a listener, and a taglib) that used DefaultTextProvider.INSTANCE.getText() with an injection/lookup of a bean implemented by DefaultTextProvider: bean id=textProvider class=com.opensymphony.xwork2.DefaultTextProvider/ But now the first time I try to use that bean I get a NullPointerException at com.opensymphony.xwork2.DefaultTextProvider.getText(DefaultTextProvider.java:64) Which I think means that ActionContext.getContext() is returning null, even though the javadoc says: Returns the ActionContext for the current thread, is never null. I'm accessing this from a listener (LoginListener) that is trying to generate i18ized messages of the form Last successful login at X, N unsuccessful login attempts since then. Is the ActionContext null because I've not yet been dispatched to an action? What is the appropriate way now to do getText() lookups from a listener? -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: xwork 2.1 changes?
On Dec 17, 2007 9:12 AM, Dale Newfield [EMAIL PROTECTED] wrote: Attempting to upgrade to 2.1 to finish my optiontransferselect testing (in 2.0.11 the select all before submit is implemented by dojo, which I'm not using, so I'm still not quite done--when I am I'll post any appropriate .ftl changes to JIRA.) Is there a better list to ask about xwork changes? Not really. I try to create a jira ticket for each change, but that's about it. So I replaced a few places (a service class, a listener, and a taglib) that used DefaultTextProvider.INSTANCE.getText() with an injection/lookup of a bean implemented by DefaultTextProvider: bean id=textProvider class=com.opensymphony.xwork2.DefaultTextProvider/ I think that might only provide the default text provider. I plan to spend some time this week cleaning that section up. But now the first time I try to use that bean I get a NullPointerException at com.opensymphony.xwork2.DefaultTextProvider.getText(DefaultTextProvider.java:64) Which I think means that ActionContext.getContext() is returning null, even though the javadoc says: Returns the ActionContext for the current thread, is never null. I'm accessing this from a listener (LoginListener) that is trying to generate i18ized messages of the form Last successful login at X, N unsuccessful login attempts since then. Is the ActionContext null because I've not yet been dispatched to an action? What is the appropriate way now to do getText() lookups from a listener? Ah, yeah, I should change those javadocs. Now, ActionContext can be null, unless it is during an action execution (basically everything behind the ActionProxy). Therefore, the listener approach won't work, unless you put it between the s2 filter and the s2 cleanup filter, similar to how sitemesh is configured. Don -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts][2.0.11] optiontransferselect limit?
Done; thanks :)
Yeah, 1124 would be a suspicious magic number ;)
There are probably other cases where this (or a similar) patch can be
applied; I've been spotting several little holes in some of the tag libs but
am pretty swamped at the moment. It'll all get done.
d.
--- Dale Newfield [EMAIL PROTECTED] wrote:
Dale Newfield wrote:
Martin Gainty wrote:
this is the applicable code in my copy of optiontransferselect.ftl
Thanks for making me look at this--it led me straight to my problem!
So we know there is a problem with the freemarker libraries, and that
it's either in ?exists, or stack.findString(), or in the assumption that
the first being true implies the second will always produce a valid
result. Is it true that if it has a value that value must be
extractable as a string? The freemarker docs suggest that maybe
?has_content would be better than ?exists ...
This rational is almost right, but has a big hole. We're asking whether
the tag has a parameter set, and then assuming the data has not null for
that attribute. I indeed had a piece of data with null for that value,
which caused my problem. Since that attribute was derived, I was able
to modify my model object to return in that case instead of null, and
I'm golden. I might suggest this alteration to the .ftl file, though:
#if parameters.doubleListValue?exists#t/
+ #if
stack.findString(parameters.doubleListValue)?has_content#t/
#assign doubleItemValue =
stack.findString(parameters.doubleListValue) /#t/
+ /#if#t/
#else#t/
#assign doubleItemValue = stack.findString('top') /#t/
/#if#t/
Now I don't have to change interfaces for large groups! Yay! Thanks!
-Dale
P.S.: I shoulda known that 1124 was not a magic enough number to be a
systemic problem--that number should have led me to look at my data
sooner :-/.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Refresh parent browser when form in pop-up browser is submitted
Hi All, In my application, user can open a member profile in the main page. The member profile is opened in a pop-up window and user can edit the profile. When user submits the form in pop-up browser, I want to close the pop-up browser, refresh the parent browser to reflect change and also display the actionError or actionMessage while processing the profile editing. Any suggestion in how I can achieve it? Thanks in advance Queenie -- View this message in context: http://www.nabble.com/Refresh-parent-browser-when-form-in-pop-up-browser-is-submitted-tp14370069p14370069.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
回复:Refresh parent browser when fo rm in pop-up browser is submitted
use javascript to call a parent page's action when the pop-window closed,in the action you can do what you do^_^ 在2007-12-17,quinquin2209 [EMAIL PROTECTED] 写道: Hi All, In my application, user can open a member profile in the main page. The member profile is opened in a pop-up window and user can edit the profile. When user submits the form in pop-up browser, I want to close the pop-up browser, refresh the parent browser to reflect change and also display the actionError or actionMessage while processing the profile editing. Any suggestion in how I can achieve it? Thanks in advance Queenie -- View this message in context: http://www.nabble.com/Refresh-parent-browser-when-form-in-pop-up-browser-is-submitted-tp14370069p14370069.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Is Struts2 ready for prime time?
We have deployed a stable pricing calculators using struts2 ( 2.0.8 ) on jboss 4 We have moved away from the old jsp architecture to s2 some of the key considerations/features/benefits are - Reusability -- ability to map multiple actions to diff methods of the same class -- tiles integration to reuse gui components - Framework featurs -- use introspection to create beans/class instances/variables based on the names in gui to ones in srvr -- validation -- tag libs ( this is a highlight of s2 ) - Good user group support -- active threads on various topics -- continuos release cycles with planned dates, JIRA issue tracking - Dojo support with performance tuning - Flexibility to play around/modify Right now I have tweaked the css_xhtml theme for validation, The css_xhtml theme displays the error msgs in a div, I modified validation.js to show all the error msgs in a div called error div, which gives me the ability to show all the errors at one place, rather than spread the error msg next each field. This is lot cleaner interms of user experience So all in all I would recomment struts2. My knowledge however is not enough to comment on struts2-jsf integration. Because I have read one comment in struts2 documenation that this combination was to enable what each does best. so the gui tags of jsf leaves a lot to be explored for me. However, I see that struts2 is powerful enough replicate complex gui's, on the fly variable creation in gui ( say a schedule ) and capturing on the server side I myself havent explored the richness of all the features. My sincere thanks to the struts2 team, you guys have done a great job Thanks to all the contributors to this user-support mailing list, without whose help many questions would have been left unanswered !!! Our application is quiet stable, and gives us good performance too. I am gonna encourage my friends to consider struts2 as a middleware framework for many applications !! Regarsd -Original Message- From: Jeff Amiel [mailto:[EMAIL PROTECTED] Sent: Thursday, December 13, 2007 7:03 PM To: Struts Users Mailing List Subject: Re: Is Struts2 ready for prime time? On Dec 12, 2007 11:28 PM, Jeromy Evans [EMAIL PROTECTED] wrote: I agree with Dave. S2 has been exceptionally robust. I find the core framework is more productive and even more pleasurable (!) to work with compared to S1. This is a key for me. My team and I have been using an ancient version of struts 1.X for over 3.5 years on the same project and I am evaluating struts 2 to see if some of the webwork mentality (convention over configuration) and other elements will make it more 'pleasurable' in our day-to-day coding. Sometimes even doing things 'differently' after doing the same thing the same way over and over again can be 'pleasurable'. I'm converting over a small struts 1.X system and taking careful notes of the pros and cons and hope to be done soon. From a business perspective I know if something works, don't mess with it. But there are real people spending 40-60 hours per week coding and their ultimate happiness has a great impact on the resulting product. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This message is intended only for the personal and confidential use of the designated recipient(s) named above. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and should not be regarded as an offer to sell or as a solicitation of an offer to buy any financial product, an official confirmation of any transaction, or as an official statement of Lehman Brothers. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] xwork 2.1 changes?
Don Brown wrote: I'm accessing this from a listener (LoginListener) that is trying to generate i18ized messages of the form Last successful login at X, N unsuccessful login attempts since then. Is the ActionContext null because I've not yet been dispatched to an action? What is the appropriate way now to do getText() lookups from a listener? Ah, yeah, I should change those javadocs. Now, ActionContext can be null, unless it is during an action execution (basically everything behind the ActionProxy). Therefore, the listener approach won't work, unless you put it between the s2 filter and the s2 cleanup filter, similar to how sitemesh is configured. The filter-mapping for securityFilter (acegisecurity) is in between struts-cleanup and struts. This LoginListener listener handles events triggered within the securityFilter (onApplicationEvent), so doesn't that mean I'm already doing what you suggest? Wait--am I backwards? My filter-mappings (and filters) start with struts-cleanup (org.apache.struts2.dispatcher.ActionContextCleanUp) and ends with struts (org.apache.struts2.dispatcher.FilterDispatcher), with everything else in between (including securityFilter and siteMesh). Wouldn't I be having all sorts of problems (for example, with struts tags in my sitemesh decorators) if I had that backwards? -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Is struts 1.X has JAAS integration API?
Is struts 1.X has JAAS integration API? I want to use the follow code: HttpServletRequest request = ServletActionContext.getRequest(); String authType = request.getAuthType(); // http or https String user = request.getRemoteUser(); // the user principal (in string) Principalprincipal = request.getUserPrincipal(); // get a Principal object bool isAuth = request.isUserInRole(patrick); but I don't know how to set the values for authType ,remoteUser etc. anyone can give me help~
RE: Is Struts2 ready for prime time?
--- Sekhar, Raja [EMAIL PROTECTED] wrote: -- ability to map multiple actions to diff methods of the same class -- tiles integration to reuse gui components In all fairness, these are not features unique to S2; S1 could do all that as well. -- continuos release cycles with planned dates, We have planned dates? I was aware of that. Where are you getting the dates from? d. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [struts] xwork 2.1 changes?
Then when is the code running? In the inbound or outbound? Sitemesh works because it is activated on the outbound, and so should your filter. If inbound, then it won't, because the action proxy hasn't been called yet. Don On Dec 17, 2007 4:10 PM, Dale Newfield [EMAIL PROTECTED] wrote: Don Brown wrote: I'm accessing this from a listener (LoginListener) that is trying to generate i18ized messages of the form Last successful login at X, N unsuccessful login attempts since then. Is the ActionContext null because I've not yet been dispatched to an action? What is the appropriate way now to do getText() lookups from a listener? Ah, yeah, I should change those javadocs. Now, ActionContext can be null, unless it is during an action execution (basically everything behind the ActionProxy). Therefore, the listener approach won't work, unless you put it between the s2 filter and the s2 cleanup filter, similar to how sitemesh is configured. The filter-mapping for securityFilter (acegisecurity) is in between struts-cleanup and struts. This LoginListener listener handles events triggered within the securityFilter (onApplicationEvent), so doesn't that mean I'm already doing what you suggest? Wait--am I backwards? My filter-mappings (and filters) start with struts-cleanup (org.apache.struts2.dispatcher.ActionContextCleanUp) and ends with struts (org.apache.struts2.dispatcher.FilterDispatcher), with everything else in between (including securityFilter and siteMesh). Wouldn't I be having all sorts of problems (for example, with struts tags in my sitemesh decorators) if I had that backwards? -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Is struts 1.X has JAAS integration API?
On Dec 16, 2007 10:15 PM, 张云勇 [EMAIL PROTECTED] wrote: Is struts 1.X has JAAS integration API? I want to use the follow code: HttpServletRequest request = ServletActionContext.getRequest(); String authType = request.getAuthType(); // http or https Based on the comment, you probably want getScheme() here... see http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/ServletRequest.html#getScheme() vs. http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpServletRequest.html#getAuthType() String user = request.getRemoteUser(); // the user principal (in string) Principalprincipal = request.getUserPrincipal(); // get a Principal object bool isAuth = request.isUserInRole(patrick); but I don't know how to set the values for authType ,remoteUser etc. anyone can give me help~ I'm not sure exactly what you're asking, and it probably depends on what container you're using. Most of them come with examples to help you get started. Explain bit more about what you need to do, and someone can probably help. -- Wendy
回复:Re: Is struts 1.X has JAAS integration API?
Sorry for my pool English, I'm improving it^_^ Here is my mean: I want to get auth user from request, but I don't know how to set the user to the request,like this: String user = request.getRemoteUser(); // the user principal (in string) Principalprincipal = request.getUserPrincipal(); // get a Principal object bool isAuth = request.isUserInRole(patrick); someone says it can be achieved by using container managed security policy, I can do it through by tomcat 5.X using j_security servlet, but if I want to custome the login action,such as logging the user's logon timestamp, how can I do it. Is struts 1.x provied any JAAS related API to complete this?
Re: [struts] xwork 2.1 changes?
Don Brown wrote: Then when is the code running? In the inbound or outbound? Sitemesh works because it is activated on the outbound, and so should your filter. If inbound, then it won't, because the action proxy hasn't been called yet. Inbound. I got confused because javax.servlet.Filter only has that one doFilter method and not a doBefore and doAfter style pair of methods, but what I forgot was that implementations get a chance to execute code both before and after the call down the chain. I can place the securityFilter after my localeFilter, though, and once that's run I can grab the locale from org.springframework.context.i18n.LocaleContextHolder and use that to directly call com.opensymphony.xwork2.util.LocalizedTextUtil on the inbound side. Thanks (again) for leading me in the right direction (again)! -Dale - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
