My previous solution was an extension on the struts action mapping where I identified roles that people needed to belong to and I set it up as a property in action config. This worked fine. But, I had to remember to include two pieces of code in each action class. The other problem was that when I upgraded to 1.1 it broke my code. Extending action classes is nice. But, it can cause a headache later when you have to change all of your code. The other thing was protecting other resources on the system. my action class did not protect my jsp files and image files. It only protected action mappings. I found that action based security model was a bit inefficient.
I have not spent any time using EJB. But, I believe that JAAS could tie much together outside of a web container. That sentence is spoken in a fair amount of ignorance. I have spent short amount of time looking into JAAS. The filter is merely an app level component that could be fit into a larger security environment. My solution fits a market that has users visiting their site who want to shop, read bulletin boards, chat or whatever. If someone wants to go to the shopping section and shops and then does a checkout. I don't want to forward them to a generic login page and then send them back to where they wanted to go in the first place. I want to provide contextual login pages. Container managed security does not supply this easily. The solution that I put together allow you to use the login in three distinct ways. 1) you can define several Action mappings to the LoginRedirectAction that define an "auth" forward to the page you want them to go once they are logged in. The form would call a particular action mapping. 2) you can call the LoginAction class directly from any page. this returns you to the page that was logged in from. 3) finally you can redirect to a login page of your choice upon the request of a protected resource. The protected resource are mapped as security-constraints. But, you can have several security-constraints and each one can map to a different login page. There is error page customization that is possible as well: 1) You can specify an error page in you action mapping as "error" 2) In the security consraint group you can define the error page for that constraint 3) There is a generic error page for direct LoginAction calls I know this all sounds a bit confusing. But, it would be nice if these options were available in a mature fashion. I am just trying to expand into a more flexible solution. I figured putting this on the board would do that. Brandon Goodin Phase Web and Multimedia P (406) 862-2245 F (406) 862-0354 [EMAIL PROTECTED] http://www.phase.ws -----Original Message----- From: Marcelo Vanzin [mailto:[EMAIL PROTECTED]] Sent: Monday, April 01, 2002 12:04 PM To: Struts Users Mailing List Subject: Re: Security Solution Phase Web and Multimedia wrote: > I wanted to offer some code if anyone is interested. I have seen many > discuss security on archives and wanted to offer an alternative to container > managed security. Nice you came up with this problem again, since I remember reading something about it in the archives, but did not participate in the threads. :-) We have a situation a little more complicated here: we need our users to be propagated to a remote server where we access some session EJBs. From what I understood from the specs, for this we *need* to use container managed security, so that the user Principal is propagated to the sessionContext when we create the remote objects. (BTW, I haven't tested this, so I do not know if it really works. We are using Tomcat talking remotely to a Weblogic server. Has someone worked with this?) So, I guess that anything outside container managed security is out of the question for us. What I did is a little ugly, but is working fine: - Since not all actions are going to be protected, I extended the ActionMapping class to have two more attributes: one that says if the mapping needs the user to be logged in, and another identifying which permission the user needs (this one is optional and based on the way Weblogic implemented security, which is a little more complex than the basic user/role thing defined by the servlet spec; anyway, it's not relevant here). - I have a base Action class where I check if the user is logged in, in case the current mapping needs a login. This is done in the perform method, before anything else is executed. - If the user is not logged in, I send a redirect to a "login" forward. The path to this login forward has protected access (declared in the web.xml file). - Once the user logs in, the action executed by the "login" forward redirects the user to the page he wanted to go in the first place. This path is stored in the user's session (and is removed after the login is completed). It's been working rather nicely with the simple cases I tested. I'm working on creating a custom reaml for Tomcat where I'll be able to access our remote user database. The problem is that I'm extending the framework a bit (the "needLogin" part of the ActionMapping). I've seen people suggesting that something similar was incorporated into the framework, and I think that'd be a nice addition. -- []'s Marcelo Vanzin Touch Tecnologia [EMAIL PROTECTED] "Life is too short to drink cheap beer" -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
