Brandon,
Your project sounds like it could be useful. I am using iPlanet
webserver, which is Servlet 2.2 compliant but does implement the Filters for
Servlet 2.3. (see below) I read through the mail archives, and hopefully I
read everything to date.
I had once looked at programmatically telling the webserver container to log
the user in. I couldn't find any way of doing that through a servlet spec
compliant interface. So I decided to implement programmatic security, where
in each action if the user isn't logged in, then they are redirected to a
secured link in the container. The container would then pop up the
j_security_check form and the user could log in.
I can see using filters as being a great improvement, and I looked into
using them before, but I wasn't sure how to implement it elegantly with
multiple web-apps and with making it work with an application server. I
couldn't figure out how to keep the security configurations seperate for
each web-app.
Oh, and is your source available yet? I looked for it on sourceforge and
didn't find it.
Thanks,
Micah J. Schehl
__References__
>From iPlanet Web Server: Programmer's Guide to Servlets:
http://docs.iplanet.com/docs/manuals/enterprise/50/servlets/war.htm
"Although iPlanet Web Server 6.0 supports only the Servlet 2.2 API in
the web.xml file, the
Filter API from the Servlet 2.3 specification is available in the
web-apps.xml file.
The filter and filter-mapping elements implement the Filter API. They
are both subelements of
a web-app element in the web-apps.xml file. Except for their file
location, filter and
filter-mapping are as described in the Servlet 2.3 specification."
----- Original Message -----
From: "Phase Web and Multimedia" <[EMAIL PROTECTED]>
To: "Struts Developers List" <[EMAIL PROTECTED]>
Sent: Tuesday, April 09, 2002 2:47 PM
Subject: RE: Declaritive Security Functionality
> This look like it could use a Filter if you are on a 2.3 servlet spec
> Containter. Do a search of "Security Solution" and the mail-archive. I am
> developing a security solution that sits in between struts and container
> managed security and allows for unique error page and login page
> configuration. I have a sourceforge project that I am setting up with
this.
> Previously I was looking to replace the container managed security. But,
now
> I have found a hook that will allow me to tie into it.
>
> Let me know if you find it useful.
> Brandon Goodin
> Phase Web and Multimedia
> P (406) 862-2245
> F (406) 862-0354
> [EMAIL PROTECTED]
> http://www.phase.ws
>
>
> -----Original Message-----
> From: Micah J. Schehl [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, April 09, 2002 12:30 PM
> To: [EMAIL PROTECTED]
> Subject: Declaritive Security Functionality
>
>
>
> I have implemented struts in some projects and have found a need for doing
> declarative security. Much like your role-based security, I would like to
> define the security in the struts config xml file, but I am looking at
> taking a step further. I would appreciate any advice or pointers. This
> will be my first time getting deep into the Struts source code.
>
> The problem I am trying to get a good solution for is redundant code
> checking conditions at the beginning of each action. If the user doesn't
> pass all the conditions then they are rejected from the page. The
rejection
> would be configurable to either show as a "page not found" or would
> forward/redirect them to a specified page.
>
> Here is what I was thinking that the struts config file might look like.
>
> <security-checker name="roleCheck"
> class="com.schehl.security.IsUserInRole" />
>
> <action path="/showMain" type="com.schehl.main.webapp.MainAction">
> <security name="roleCheck">
> <param>
> <param-name>allow-roles</param-name>
> <param-value>admin</parm-value>
> </param>
> <param>
> <param-name>allow-users</param-name>
> <param-value>admin</parm-value>
> </param>
> <failure path="/pages/no-access.jsp"/>
> <!-- failure response="no page" / -->
> </security>
>
> <forward name="success" path="/pages/main.jsp" />
> </action>
>
>
> The class com.schehl.security.IsUserInRole would extend a class,
> com.strutssecurity.SecurityChecker, which would be responsible for setting
> the configuration parameters and would have a method boolean
> check(HttpRequest request) which would default to pass back true, but
would
> be overridden to perform the checks.
>
> I thank you so much for any and all help, advice, or redirection you can
> give me.
>
> Thanks,
> Micah J. Schehl
>
>
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
