We are in the process of writing a lightweight framework for role-based authorization because no other options have panned out. I've searched for open-source solutions, but find none. As David Geary said, it's not really rocket science, but to do it well and to make it generalized for different situations gets harder quickly. That's why there are companies that make a good living selling packages like Siteminder and ClearTrust.
I'd also suggest thinking about security in a slightly different way, by taking it out of the realm of the application. Unless you've got very fine-grained access control requirements, your application will be much more portable and maintainable if you let someone/something else worry about "security." Containers are going to have differing schemes until the end of time, but they are the second-best place to define security (the best being even further removed, at the web server). For one, security policies are often the realm of a group completely removed from application development, and, if they're really serious about it, are very uncomfortable with the thought of having security implemented within an application - much harder to audit or verify its stoutness.
More importantly, unless you're at the level of the container, or above, you can't protect any static pages that might be part of your application, and you have to put explicit checks in each of your JSPs - forget it in one JSP and your app is compromised.
All this is to say that if you're writing a framework for your own app or organization and know what the ground rules are going to be, it's not that hard. If you want one that's general and covers lots of situations, that is harder work, and explains why there is slim pickings (unless you've got the $$ to buy one.) Seems like a niche waiting to be filled for the open source community....
I hope that's not too much soap-boxing. If you've got more specific questions, I'd be happy to offer some more concrete ideas.
John Brugge
Senior Specialist, e-Commerce Solutions
Compuware Corporation
Madison, Wisconsin
608-223-3800
[EMAIL PROTECTED]
-----Original Message-----
From: Davina and Mac [SMTP:[EMAIL PROTECTED]]
Sent: Sunday, February 25, 2001 11:16 AM
To: [EMAIL PROTECTED]
Subject: Has anyone implemented security and authentication in a Struts app?
Has anybody out there implemented a roles-based security system in a Struts
application? If so, did you use an existing class library or write your own?
It seems to me that relying on container providers for security schemes
makes it almost impossible to write portable applications, and Struts/MVC,
with its single point of access and clearly defined actions would be an
ideal place to implement security...
thoughts anyone?
Mac Ferguson
