Re: why not extend struts to support access control?

liu ji Sun, 26 Sep 2004 08:02:05 -0700

I don't think I should restructure my appliction. If you use parameter to transfer imformation from page to page,I am sure you will encounter the same situation.

In fact,many web sites have to face the problem.

==============================================
Ji Liu

From: bryan <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: Struts Developers List <[EMAIL PROTECTED]>
Subject: Re: why not extend struts to support access control?
Date: Sun, 26 Sep 2004 16:50:18 +0200
I think you need to restructure your application.
--b
On Sun, 26 Sep 2004 22:40:18 +0800, liu ji <[EMAIL PROTECTED]> wrote: > I have just read the example. > I don't see any clue that ageci solved the problem. > > Although it can ensure the security in function level,it isn't very

useful.

> > I can security my system in a high level not function level. > > It also uses IOC which struts doesn't support.If I want to use it,I

have to

> use spring. > > Your example is the role checking.But the access control is more

complex.

> For example,when user A want to edit his information,the URL maybe like > this http://user/editProfile.do?id=userA.The editProfile.do use the id > parameter to get the profile of user A.Before doing that the

application

> should ensure whether the request is requested by user A.So the

editProfile

> should compare the id parameter with the id property stored in the

session.

> > Maybe more complex,for example,the id parameter indicate the order

id.User

> may have a lot of orderid,they can only edit the order which wasn't > shipped.How can ageci solve this? > > Sorry,I ask a lot of questions,and may of them are irrelevant to

struts.

> > > > > ============================================== > Ji Liu > > >From: bryan <[EMAIL PROTECTED]> > >Reply-To: [EMAIL PROTECTED] > >To: liu ji <[EMAIL PROTECTED]>, Struts Developers List > <[EMAIL PROTECTED]> > >Subject: Re: why not extend struts to support access control? > >Date: Sun, 26 Sep 2004 13:40:01 +0200 > > > >it does support it, just depends on whether or not you correctly > >structured your > >application. > > > >Here is a sample app that I wrote to test it. > > > https://jestate.dev.java.net/files/documents/1364/7000/ageci-quick-start.zip

> > > > >There is ample documentation on their web site as well. > > > >--b > > > > > >On Sun, 26 Sep 2004 18:59:55 +0800, liu ji <[EMAIL PROTECTED]>

wrote:

> > > I don't think acegi security support the programmatic access

control.

> > > > > > By the way,how do you solve the programmatic access control

problem?

> > > > > > ============================================== > > > Ji Liu > > > > > > > > > >From: bryan <[EMAIL PROTECTED]> > > > >Reply-To: [EMAIL PROTECTED] > > > >To: Struts Developers List <[EMAIL PROTECTED]> > > > >Subject: Re: why not extend struts to support access control? > > > >Date: Sun, 26 Sep 2004 12:44:40 +0200 > > > > > > > >http://acegisecurity.sourceforge.net > > > > > > > >unless of course you feel an irresistable urge to reinvent the

wheel

> for > > > the > > > >10000000000000th time ...... > > > > > > > >--b > > > > > > > > > > > >On Sun, 26 Sep 2004 05:07:32 +0000, liu ji <[EMAIL PROTECTED]> > wrote: > > > > > Thank you. > > > > > I know filter can do this very well.But filter have some > drawbacks.I > > > don't > > > > > know how to express this,because of my poor English. > > > > > Without struts,I can use a single filter to delegate the

request to

> my > > > > > access control framework.I have already done this. > > > > > But when using struts,there will be some redundancies. > > > > > And I think struts should provide this. > > > > > > > > > > May a access control framework which doesn't denpend on struts

is

> more > > > > > attractive. > > > > > I want this kind framework. > > > > > Do you know where can I find one? > > > > > > > > > > ============================================== > > > > > Ji Liu > > > > > > > > > > >From: "Frank W. Zammetti (MLists)" <[EMAIL PROTECTED]> > > > > > >Reply-To: [EMAIL PROTECTED] > > > > > >To: "Struts Developers List" <[EMAIL PROTECTED]> > > > > > >Subject: Re: why not extend struts to support access control? > > > > > >Date: Sat, 25 Sep 2004 13:12:44 -0400 (EDT) > > > > > > > > > > > >I'm not sure I follow your reasoning... In terms of security,

you

> > > ALWAYS > > > > > >want a user to be authenticated and validated before ANY > > > application-level > > > > > >code executes, and in my mind, that very much includes input > > > validations. > > > > > >Filters provide this mechanism, before Struts comes into play, > which > > > is > > > > > >where it should happen. > > > > > > > > > > > >In an enterprise-class application, the trend, and rightly so

I

> think, > > > is > > > > > >to externalize security, meaning when a URL is requested, the

web

> > > server > > > > > >hands the user authentication piece off to some handler (like > > > Netegrity > > > > > >Siteminder as an example), so it's not the web server, app

server

> or > > > even > > > > > >a filter that handles checking if a user is valid for each > request. > > > > > > > > > > > >Am I missing something that might change my mind? > > > > > > > > > > > >-- > > > > > >Frank W. Zammetti > > > > > >Founder and Chief Software Architect > > > > > >Omnytex Technologies > > > > > >http://www.omnytex.com > > > > > > > > > > > > > > > >

_________________________________________________________________

> > > > > ?稿?绉烽?????ｎ?绁?MSN Explorer:

http://explorer.msn.com/lccn

> > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > _________________________________________________________________ > > > 娴???ゆ????娑??娓舵径?娈????????娆㈢化?ょ埠?

?MSN Hotmail??

> http://www.hotmail.com > > > > > > > > _________________________________________________________________ > 涓???虹????杩??浜ゆ?锛??浣跨? MSN Messenger:

http://messenger.msn.com/cn

>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

_________________________________________________________________ 享用世界上最大的电子邮件系统― MSN Hotmail。 http://www.hotmail.com


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: why not extend struts to support access control?

Reply via email to