RACF?!? Most impressive... Glad the hint helped. :) On Fri, Dec 19, 2008 at 4:13 PM, Harry Metske <[email protected]>wrote:
> Andrew, > > I forgot to follow up on this, sorry. > I implemented a Stripes interceptor (based on the sample provided on the > Stripes website). > Works like a charm, together with a Jaas login module (authentication > against RACF) and a basic login.jsp the problem is now solved elegantly. > > thanks for the hint. > > regards, > Harry > > 2008/11/27 Harry Metske <[email protected]> > > > yes I have read about that but wasn't sure if it would help me. > > the important point thing you say here is "forward the user as needed to > a > > login or "unauthorized" page if the role check fails" with the emphasis > on > > login page. > > So if I understand it correctly, users that don't have an account should > > still be able to use the "Read functions" that way. > > > > I'll have a look at it and see if I can make it work, thanks for the help > ! > > > > regards, > > Harry > > > > 2008/11/27 Andrew Jaquith <[email protected]> > > > > I am not sure if this will be possible, but it seems to me that you > should > >> not have to use multiple URLs for the scenario you described. > >> > >> For role-based access to particular ActionBean methods, I recommend > >> annotating the handler methods (read, edit etc) with annotations that > denote > >> the roles that are allowed to execute them. Then, you would provide an > >> Interceptor implementation that fires after event resolution but before > >> validation. The Interceptor's job would be to make the authorization > >> decision and forward the user as needed to a login or "unauthorized" > page if > >> the role check fails. > >> > >> This is actualy a pretty simple and elegant approach because you don't > >> need to modify ActionBeans, or use separate URL schemes, to do it. This > >> Interceptor-based approach is the strategy JSPWiki 3 takes. > >> > >> There is a community-developed SecurityInterceptor floating around on > the > >> Stripes site somewhere. You should take a look at that first. > >> > >> Regards, > >> > >> Andrew > >> > >> > >> On Nov 26, 2008, at 16:01, Harry Metske <[email protected]> wrote: > >> > >> Andrew, > >>> > >>> will it then be possible to have more than one URL bound to the same > >>> ActionBean ? > >>> I ask because I currently work on a simple Stripes based CRUD > >>> application, > >>> and I'm using the same ActionBean for all actions (Create, Read, > Update, > >>> Delete). > >>> I want read to be publicly available, but the others should be J2EE > >>> protected with a security-constraint. > >>> So would it be possible to have 2 URLs , like : > >>> /nonpub/MyActionBean > >>> /pub/MyActionBean > >>> Where only the first one is protected. > >>> Of course, there is some additional security checking required in the > >>> ActionBean. > >>> > >>> regards, > >>> Harry > >>> > >>> 2008/11/26 Andrew Jaquith <[email protected]> > >>> > >>> FYI -- > >>>> > >>>> Ben Gunter @ the Stripes project just committed a new enhancement that > >>>> I'd > >>>> requested in August, namely the ability to create ActionBean > URLBindings > >>>> from arbitrary String patterns. It will ship in 1.5.1. > >>>> > >>>> This is excellent news because it makes it possible for third parties > >>>> (like > >>>> us) to fairly easily create, for example, URLBinding patterns that are > >>>> read > >>>> from text files. This gives us an option for binding URLs to > ActionBeans > >>>> other than the default method, which is to get them from class > >>>> annotations. > >>>> My intent is to create a FileActionResolver to do this, at a slightly > >>>> later > >>>> point in the 3.0 dev cycle. > >>>> > >>>> For the Americans on this list -- happy Thanksgiving. > >>>> > >>>> Andrew > >>>> > >>>> > >> > > >
