RE: Has anyone implemented security and authentication in a Struts app?

[Davina and Mac]

Title: RE: Has anyone implemented security and authentication in a Struts app?

Hmmmm. those are some very good points. The situation i am faced with now (and have been on a couple of occasions) is porting to MVC a content management system that is steadily growing in complexity. I have to implement several roles which will be assigned Create/Read/Update/Delete rights on various components, eventually there will also be a set of workflow management permissions as well (Authorize/Publish) probably attached to the data somehow. So my needs go a ways beyond authentication as it is implemented in most web servers. The only open-source projects I've seen that are really related are OpenSymphony's OSUser which is far from functional, and Caucho's Quercus, which seems to be dependent on Resin's JNDI services (although I haven't really dug into this code yet). I am considering starting something based on JAAS and making it available when/if it becomes workable. It would probably be pretty much geared towards struts to begin with. If only i didn't have to sleep, then I'd have time for this...

 

Thanks,

Mac Ferguson

-----Original Message-----
From: Brugge, John [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 26, 2001 10:26 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Has anyone implemented security and authentication in a Struts app?

We are in the process of writing a lightweight framework for role-based authorization because no other options have panned out. I've searched for open-source solutions, but find none. As David Geary said, it's not really rocket science, but to do it well and to make it generalized for different situations gets harder quickly. That's why there are companies that make a good living selling packages like Siteminder and ClearTrust.

I'd also suggest thinking about security in a slightly different way, by taking it out of the realm of the application. Unless you've got very fine-grained access control requirements, your application will be much more portable and maintainable if you let someone/something else worry about "security." Containers are going to have differing schemes until the end of time, but they are the second-best place to define security (the best being even further removed, at the web server). For one, security policies are often the realm of a group completely removed from application development, and, if they're really serious about it, are very uncomfortable with the thought of having security implemented within an application - much harder to audit or verify its stoutness.

More importantly, unless you're at the level of the container, or above, you can't protect any static pages that might be part of your application, and you have to put explicit checks in each of your JSPs - forget it in one JSP and your app is compromised.

All this is to say that if you're writing a framework for your own app or organization and know what the ground rules are going to be, it's not that hard. If you want one that's general and covers lots of situations, that is harder work, and explains why there is slim pickings (unless you've got the $$ to buy one.) Seems like a niche waiting to be filled for the open source community....

I hope that's not too much soap-boxing. If you've got more specific questions, I'd be happy to offer some more concrete ideas.

John Brugge
Senior Specialist, e-Commerce Solutions
Compuware Corporation
Madison, Wisconsin
608-223-3800
[EMAIL PROTECTED]

-----Original Message-----
From:   Davina and Mac [SMTP:[EMAIL PROTECTED]]
Sent:   Sunday, February 25, 2001 11:16 AM
To:     [EMAIL PROTECTED]
Subject:        Has anyone implemented security and authentication in a Struts app?

Has anybody out there implemented a roles-based security system in a Struts
application? If so, did you use an existing class library or write your own?
It seems to me that relying on container providers for security schemes
makes it almost impossible to write portable applications, and Struts/MVC,
with its single point of access and clearly defined actions would be an
ideal place to implement security...
thoughts anyone?

Mac Ferguson