Just FYI :
JGuard is an open source JAAS implementation.

Regds
r-a-v-i

-----Original Message-----
From: Shilpa Vaidya [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 06, 2004 9:50 AM
To: 'Struts Users Mailing List'
Cc: [EMAIL PROTECTED]
Subject: RE: Authorization and Authentication in Struts

Hi ,
On these lines you can do Authorization and Authentication in Struts.
But it calls the tomcat 404 page, I am still doubtful as how to call a
customised page in this regards.
Can anyone help.
The below portion of code i believe should help in the given context.
Shilpa




private boolean _403 (  HttpServletRequest request, HttpServletResponse
response, ActionMapping mapping ) throws IOException
    {
    response.sendError ( HttpServletResponse.SC_FORBIDDEN, "No Access"
);

    return false;
    }


 public boolean allowAccess(String sRequestURL, ArrayList arrActions)
    {
        boolean bAllowAccess = false;
        String tempURL="";
        StringTokenizer stTok= new StringTokenizer(sRequestURL,".");
        String beforeTemp =stTok.nextToken();
        tempURL=beforeTemp.concat(".do");

                if() {
          //Compare or do all ur security checks in this function

                    bAllowAccess =true
                }
                }
            }

        return bAllowAccess;
    }

protected boolean processRoles ( HttpServletRequest request,
HttpServletResponse response, ActionMapping mapping) throws IOException,
ServletException
    {
    if ( request.getSession ( false ) == null ) return _403 ( request,
response, mapping );


    Roles objRoles = new Roles();
    HashMap ht_roles;

//Another condition
    if ( isWhiteSpace ( mapping.getRoles() ))
        return true;

    String sUrl = request.getServletPath();

    ServletContext ctx =getServletContext();
    HashMap hmRightsMap = (HashMap)ctx.getAttribute("rightsMap");

    try
        {

        RightsReader rightreader = new RightsReader( );
        ArrayList arrFinal=
rightreader.FilterRights(hmRightsMap,arrObtainrights);

        //last security check
        if(allowAccess(sUrl,arrFinal)==true)
                 return true;


    }catch(Exception e)
        {
        e.printStackTrace();
        }

    //call the _403 method
    return _403 ( request, response, mapping );

    }
}

-----Original Message-----
From: news [mailto:[EMAIL PROTECTED] Behalf Of Hal Klimer
Sent: Tuesday, July 06, 2004 12:22 AM
To: [EMAIL PROTECTED]
Subject: Authorization and Authentication in Struts


I have a question on how to implement authorization and authentication
with
the
Struts framework. In several DB tables we have users, groups,
permissions,
acls, etc where the security information is stored. We would like to
integrate
this information, in the best possible way with Struts. From what I have
read
so far it's seems that best place, perhaps, is to place this request
validation
code is in the processPreprocess() or the processRoles() of a user
extended
version of the RequestProcessor class. That way one could "look" at the
request
first, validate it against the logged user and his ACL and decide to let
him
pass or not. If this is the case how do I generate a "redirect" to a
"not
allowed/no security" action (possibly by overriding the
processActionPerform()
method) or just throw a NotAuthorizedException and let a global
exception
handler in Struts take care of it?
Is this a correct path of action? Please excuse me if this has been
already
talked about, maybe someone could lead me to previous discussions about
how
to
do this. Thanks in advance.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-- 


"This e-mail message may contain confidential, proprietary or legally
privileged information. It 
should not be used by anyone who is not the original intended recipient.
If you have erroneously 
received this message, please delete it immediately and notify the
sender. The recipient 
acknowledges that ICICI Bank or its subsidiaries and associated
companies,  (collectively "ICICI 
Group"), are unable to exercise control or ensure or guarantee the
integrity of/over the contents of the information contained in e-mail
transmissions and further acknowledges that any views 
expressed in this message are those of the individual sender and no
binding nature of the message shall be implied or assumed unless the
sender does so expressly with due authority of ICICI Group.Before
opening any attachments please check them for viruses and defects." 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to