[Stripes-users] Help with app security

Tue, 12 Oct 2010 11:16:16 -0700 

Folks -
I'm having some problems figuring out security in Stripes. I'm attempting to use the J2EESecurityManager model described in the Stripes book, and I'm missing something obvious... 


I set up a login action that sets a user ID and is supposed to (or so I 
thought) signal to the security manager that "hey, I'm logged in".  When 
I then redirect to an action bean that I've marked as requiring a 
certain role, I get a 401 error message saying "This request requires 
HTTP authentication()."



I'm attaching my security manager class, the login action bean, and the 
bean requiring the user be logged in.  Any help on where I went wrong 
would be appreciated.


--
John

--
John


package util;

import org.stripesstuff.plugin.security.*;

import daoimpl.RoleDao;
import net.sourceforge.stripes.action.*;
import java.lang.reflect.*;
import java.util.*;
import model.*;
import action.*;
import org.apache.log4j.*;
public class HaxSecurityManager extends J2EESecurityManager {
        private static Logger log = Logger.getLogger(HaxSecurityManager.class);
        
        @Override
        protected Boolean isUserAuthenticated(ActionBean bean, Method handler) {
                return getUser(bean) != null;
        }
        
        @Override
        protected Boolean hasRole(ActionBean actionBean, Method handler, String 
role) {
                log.debug("Checking for role");
                Person user = getUser(actionBean);
                if ( user != null ) {
                        Collection<Role> roles = user.getRoles();
                        if ( null == roles ) {
                                return false;
                        }
                        return roles != null && 
roles.contains(RoleDao.getInstance().findByRoleName(role));
                }
                return false;
        }
        
        private Person getUser(ActionBean bean) {
                MyActionBeanContext ctx = (MyActionBeanContext) 
((BaseActionBean) bean).getContext();
                Person user = ctx.getLoginID();
                try {
                        log.debug("Found current logged in user " + 
user.getUsername());
                }
                catch (Exception e) {
                        log.warn("Error in current logged in user object - " + 
e.getMessage());
                }
                return user;
        }
}

package action;

import net.sourceforge.stripes.action.*;
import javax.annotation.security.*;

@RolesAllowed("User")
public class HomeActionBean extends BaseActionBean {
        private static final String HOMEPAGE = "/WEB-INF/jsp/home.jsp";
        
        @DefaultHandler
        public Resolution mainForm() {
                return new ForwardResolution(HOMEPAGE);
        }
}

package action;

import daoimpl.*;
import model.*;
import util.*;
import net.sourceforge.stripes.action.*;
import org.apache.log4j.*;

public class LoginActionBean extends BaseActionBean {
        private String username;
        private String password;
        private static Logger log = Logger.getLogger(LoginActionBean.class);
        
        public void setUsername(String username) {
                this.username = username;
        }
        
        public String getUsername() {
                return username;
        }

        public void setPassword(String password) {
                this.password = password;
        }

        public String getPassword() {
                return password;
        }
        
        @DefaultHandler
        public Resolution noName() {
                return new RedirectResolution(GreeterActionBean.class);
        }
        
        public Resolution login() {
                log.debug("Starting login process");
                Person foundUser = 
UserDao.getInstance().findUserByName(getUsername());
                if ( null == foundUser ) {
                        log.warn("Username not found in database");
                        getContext().getMessages().add(new SimpleMessage("The 
specified username was not found in our database.  Please create an account 
before attempting to log in."));
                        return new RedirectResolution(GreeterActionBean.class);
                }
                if ( getPassword().equals(foundUser.getPassword()) ) {
                        MyActionBeanContext ctx = 
(MyActionBeanContext)getContext();
                        ctx.setLoginID(foundUser);
                        log.debug("Logging in user " + this.username);
                        return new RedirectResolution(HomeActionBean.class);
                } else {
                        log.warn("Password incorrect for user " + 
this.username);
                        getContext().getMessages().add(new SimpleMessage("The 
password given is incorrect.  Please try again."));
                        return new RedirectResolution(GreeterActionBean.class);
                }
        }
}

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users






















					Reply via email to