You can also put an execute method in the base action that does the 'logged-in' check, and use a global forward to forward to login page.
If you do this, then add an abstract method eg executeAction with the same signature as execute, and call it. The main advantage of this is to stop you forgetting to make the required security calls at the beggining of the subclassed action! Daniel. > -----Original Message----- > From: Susan Bradeen [mailto:[EMAIL PROTECTED] > Sent: 19 August 2004 15:17 > To: Struts Users Mailing List > Subject: Re: Security - From tradition to struts > > > Excellent explanation, Erik. Consider adding this to the Struts Wiki for > posterity? Must be a place for it in there somewhere ... > > Erik Weber <[EMAIL PROTECTED]> wrote on 08/19/2004 08:31:08 AM: > > > Sorry, by "hand-rolled" I just mean one that is written > specifically for > > > the application (written by you). > > > > The general idea is something like this: > > > > Make a BaseAction class. > > > > Implement a checkLogin method in the BaseAction class that looks in the > > current request's HttpSession for a "User" object, which you would have > > placed into the session in your LoginAction. > > Implement a checkPermission method in the BaseAction class that > looks in > > > the current HttpSession for a role associated with the user (maybe this > > is part of the "User" object) that matches the role required for the > > current request (or you can go as fine-grained as you want, with many > > different permissions to check for a single request) to be granted. > > > > All your Action classes extend the BaseAction class. They can > invoke the > > > checkLogin and/or the checkPermission methods at the beginning of the > > execute method to decide whether/how to proceed. > > > > Write a LoginAction class that sets the "User" action, along with > > permissions, roles, etc., whatever else is needed in your > checkLogin and > > > checkPermission methods, in the session after login has succeeded (you > > have taken the entered username and password and matched them > > successfully against a username and password combination in your > > database -- typically in a USERS table). > > > > Write a Logout Action that invalidates the current session. > > > > Alternatively, you could check the login and the permissions the same > > way, but in a sublass of the Struts RequestProcessor, or in a Servlet > > Filter, instead of in a BaseAction class. > > > > If you want to go with container-managed security and you can use > > Tomcat, try this (you should probably read it anyway). > > > > http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html > > > > I also suggest you read the security section of the J2EE tutorial, and > > the security sections of the JSP and Servlet specifications. > > > > If you go with container-managed security, it's real easy to allow/deny > > entire JSPs, but you still may need to implement finer-grained > > permissions checks on your own if you need to, for example, show/hide > > links on a page based on permissions. > > > > Erik > > > > Leandro Melo wrote: > > > > >Erik, > > >i don't quite understand what you call a hand-rolled > > >java component (maybe because of my english). > > >Anyway, it seems to me that you're not using JAAS to > > >completely control application's security, are u? > > >I don't know if it possible, but if so, would you post > > >your setup and basic classes? > > >I'm very very new at security stuff... > > >Anyway, i cleared out a lot of things for me. > > > > > >Thanks, > > >Leandro. > > > > > > > > > --- Erik Weber <[EMAIL PROTECTED]> escreveu: > > > > > > > > >>I don't really consider myself an expert here, but I > > >>dare say that there > > >>are a lot of webapps deployed out there using > > >>programmatic (hand-rolled) > > >>security successfully. I have used the approach with > > >>success. What > > >>exactly the advantages are to using > > >>container-managed security I am not > > >>able to fully deduce (except for the obvious -- it's > > >>nice to declare > > >>stuff in web.xml in a standardized way -- and that > > >>perhaps it might make > > >>Servlets a *little* more portable if you wanted to > > >>use them among > > >>different apps). But then again, I haven't had to > > >>take on a project yet > > >>where the environment was extremely complicated, > > >>when it came to how > > >>users and permissions were managed (typically I see > > >>the same tried and > > >>trusted setup -- USER, GROUP, ROLES and PERMISSIONS > > >>tables in some > > >>central database, and some hand-rolled Java > > >>component, used to authorize > > >>the current request, that is invoked in some > > >>"common" area, such as a > > >>Servlet Filter -- or, in Struts, a base Action class > > >>or a custom > > >>RequestProcessor). It seems like JAAS is still at an > > >>immature stage > > >>perhaps, or at least the state of documenation about > > >>it is. > > >> > > >>The other route it seems you could go is to use a > > >>container-managed > > >>login as you suggest, and enjoy using the methods > > >>such as > > >>request.isUserInRole instead of invoking security > > >>methods on a > > >>hand-rolled component, but I think you will have to > > >>give up the > > >>JBoss/Tomcat stack to do this for now (someone > > >>please correct me if I am > > >>wrong), because I think there is a security > > >>integration problem there, > > >>as I described earlier. I'm guessing Tomcat as stand > > >>alone might be a > > >>good way to go though. I have not done this and > > >>couldn't say whether it > > >>is "common and usual". > > >> > > >>I have tried to write my role-checking methods so > > >>that in the future if > > >>I port an application to JAAS I can just refactor > > >>them to invoke the > > >>standard methods instead of my own. But like I say, > > >>I'm far from an > > >>expert in this area. > > >> > > >>Hope that helps, > > >> > > >>Erik > > >> > > >>Leandro Melo wrote: > > >> > > >> > > >> > > >>>So Erik, is it a common and usual aproach to do > > >>> > > >>> > > >>login > > >> > > >> > > >>>outside of Struts (ordinary jsps), and then use > > >>> > > >>> > > >>Struts > > >> > > >> > > >>>afterwards??? > > >>> > > >>> > > >>>--- Erik Weber <[EMAIL PROTECTED]> > > >>> > > >>> > > >>escreveu: > > >> > > >> > > >>> > > >>> > > >>> > > >>> > > >>>>Leandro, search the archives of this List for > > >>>>"JAAS". I participated in > > >>>>a thread about this within the last two months. > > >>>> > > >>>>I'm not sure if I understand exactly what you want > > >>>>to do, but if you > > >>>>want to use container-managed security, I don't > > >>>> > > >>>> > > >>know > > >> > > >> > > >>>>of a way to have > > >>>>your login screen be part of Struts. As far as I > > >>>>know, you have to let > > >>>>the container process the request that results > > >>>> > > >>>> > > >>from > > >> > > >> > > >>>>the login screen's > > >>>>form submittal (I tried having an Action intercept > > >>>>this request and then > > >>>>attempt to login with the JBoss JAAS module > > >>>> > > >>>> > > >>manually > > >> > > >> > > >>>>but gave up when I > > >>>>realized problem # 2 -- below). > > >>>> > > >>>>Another problem you are probably going to run into > > >>>>is that the JBoss > > >>>>security context is not propagated to Tomcat, and > > >>>>vice versa, as far as > > >>>>I know. So if you authenticate using JBoss JAAS, > > >>>>Tomcat won't know about > > >>>>it, and the methods such as request.isUserInRole > > >>>>aren't going to do you > > >>>>any good (although you would presumably be able to > > >>>>use the similar > > >>>>methods on EJBs, because they are running within > > >>>> > > >>>> > > >>the > > >> > > >> > > >>>>JBoss security > > >>>>context). > > >>>> > > >>>>I found JAAS to be a nightmare, though a couple > > >>>>people gave me possible > > >>>>solutions to the problems I mentioned in the > > >>>> > > >>>> > > >>thread > > >> > > >> > > >>>>(one would be > > >>>>intercepting the login screen request and then > > >>>>manually logging in with > > >>>>both JBoss JAAS as well as Tomcat JAAS modules -- > > >>>>but I don't know if > > >>>>this has been done). I presume it's a much easier > > >>>>endeavor if you are > > >>>>just using Tomcat stand alone, but I'll let Craig > > >>>>address that if he > > >>>>wants, because I've never tried it. > > >>>> > > >>>>Erik > > >>>> > > >>>> > > >>>>Leandro Melo wrote: > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > >>>>>Or i just extend the DatabaseServerLoginModule > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>class > > >>>> > > >>>> > > >>>> > > >>>> > > >>>>>and leave an empty class???? > > >>>>> > > >>>>> > > >>>>> > > >>>>>--- Leandro Melo <[EMAIL PROTECTED]> > > >>>>>escreveu: > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>>>Just complementing my question... > > >>>>>> > > >>>>>>Would it be fair if i copy JBoss' > > >>>>>>DatabaseServerLoginModule code and place it > > >>>>>> > > >>>>>> > > >>inside > > >> > > >> > > >>>>>>an > > >>>>>>Action??? > > >>>>>> > > >>>>>>This way, i'll have an Action (for example, > > >>>>>>MyLoginAction) that does exactly what > > >>>>>>DatabaseServerLoginModule does. > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>>--- Leandro Melo <[EMAIL PROTECTED]> > > >>>>>>escreveu: > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>>>Please help me out here! > > >>>>>>>I'm very new with jaas, so i need some help. > > >>>>>>> > > >>>>>>>I got a simple login that is working fine for > > >>>>>>> > > >>>>>>> > > >>me, > > >> > > >> > > >>>>>>>here > > >>>>>>>it is: > > >>>>>>> > > >>>>>>>... > > >>>>>>><FORM action='<%= > > >>>>>>>response.encodeURL("j_security_check")%>' > > >>>>>>> method="get"> > > >>>>>>> <!-- esses nomes tem q ser assim -> > >>>>>>>j_username > >>>>>>>--> > > >>>>>>> NOME:<INPUT type="text" name="j_username" > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>/> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>>> > > >>>>>>> <!-- tem q ser j_password --> > > >>>>>>> SENHA: <INPUT type="password" > > >>>>>>>name="j_password" > > >>>>>>>/> > > >>>>>>> <INPUT type="submit" value="Login" /> > > >>>>>>> > > >>>>>>> > > >=== message truncated === > > > > > > > > > > > > > > > > > >_______________________________________________________ > > >Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade! > > >http://br.acesso.yahoo.com/ > > > > > >--------------------------------------------------------------------- > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > __________________________________________________________________ > ___________ > > Scanned for SoftLanding Systems, Inc. by IBM Email Security > > Management Services powered by MessageLabs. > > > __________________________________________________________________ > ___________ > > > __________________________________________________________________ > ___________ > Scanned for SoftLanding Systems, Inc. by IBM Email Security > Management Services powered by MessageLabs. > __________________________________________________________________ > ___________ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
