On Sat, Mar 08, 2003 at 02:14:56AM +1100, Scott Farquhar wrote: > We use a custom filter for security and logins, and that filter also has > different services which return a list of roles for a given resource. > For example there is a path mapper, which looks up a config file for > which resources to protect. > > There is also a webwork service, which looks up actions.xml for the > required roles. If you look at JIRA's actions.xml file, you will see a > list of required roles for each action.
But this is custom authentication/authorization, right? Not j2ee container managed security? > > You could also do something regarding security in the ActionDispatcher, > along the same lines. This would mean you could still use normal J2EE > security, rather than a custom grown filter. > Yes - this sounds interesting. If I manage to secure a certain action alias pattern, I must assure that the action is not executed using the class name. But - it's still a 'hack' :) //Anders > Cheers, > Scott > > Anders Engström wrote: > >Howdy. > > > >Is there a "best-practice" for using J2EE container managed security > >with WebWork 1.3 (<security-constrainy> etc. in web.xml)? > > > >I've discussed some possible strategies with Joseph (Ottinger) on irc, > >but none of them seem natural. > > > >1 - prefix action mappings with secured-theaction.action in > >views.properties and restrict access to these mappings in web.xml. > > > >2 - use different webwork.action.extension (.action & .secured-action) > >and restrict access based on extension in web.xml (is it even possible > >to specify more then one extension in webwork.properties?) > > > >3 - use web.xml to restrict access to the web-resources (i.e. > >/jsp/secured/somepage.jsp). This would only protect the view, but not > >the execution of the action. > > > >How are you folks out there managing this situation? > > > >Best Regards //Anders > > > > -- > > ATLASSIAN - http://www.atlassian.com > Expert J2EE Software, Services and Support > ------------------------------------------------------- > Need a simple, powerful way to track and manage issues? > Try JIRA - http://www.atlassian.com/software/jira > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger > for complex code. Debugging C/C++ programs can leave you feeling lost and > disoriented. TotalView can help you find your way. Available on major UNIX > and Linux platforms. Try it free. www.etnus.com > _______________________________________________ > Opensymphony-webwork mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork -- |===================================| | Anders Engström | | [EMAIL PROTECTED] | | http://www.gnejs.net | |===================================| |Your mind is like an umbrella. | |It doesn't work unless you open it.| | /Frank Zappa | |===================================|
pgp00000.pgp
Description: PGP signature