Hi, What is the best way to secure struts-webapps without Container Managed Security? I have heard of the following possible options but I am confused as to choose which one:
1. Using Filters. 2. Override one of the process methods in the ProcessRequest. 3. Make a base action where you check for your criteria in every action's execute() method. Then have it invoke a custom "myExecute()" method which is where you would put the code you normally put in execute(). I am confused as to choose which one because I want the security to be of the Application-level and I dont wanna use any Container Managed Security. Also in my application I have different roles and each role has a separate set of priviliges like Admin, Customer, Account Manager. I want the different menus or options to be available only if the login user is in that role. Nirmal Kumar Li-3 wrote: > > I guess the best practise for secure struts webapp can never be answered > by > listing a few items of "what to do and how to do". It is a complicated > topic > and has many situation like for LAN, WAN ... > > Besides, will struts continue its development rather than enhancement? Or > webwork will replace it sooner or later. > > > On 8/29/06, Li <[EMAIL PROTECTED]> wrote: >> >> put secure page under /web-inf >> >> you can create a tag for checking session validation and/or user object. >> >> >> >> >> On 8/29/06, Leon Rosenberg < [EMAIL PROTECTED]> wrote: >> > >> > The options number 2 and 3 (filter and action) sound both very hale to >> > me. >> > If you just want to separate between logged in and not logged in users >> > i would go for option 2. >> > If you need fine-grained separation go for baseaction and make not >> > only login check but also for action-dependant permissions. >> > >> > regards >> > Leon >> > >> > On 8/29/06, Thomas Hamacher <[EMAIL PROTECTED]> wrote: >> > > Hi everyone, >> > > >> > > I think I have a very basic question here, but after spending some >> > time with >> > > google I haven´t found a real solution to this question: What is the >> > best way >> > > to secure a struts webapplication to be sure, that only logged in >> > users are >> > > allowed to do some special action and access some special pages? >> > > >> > > I found 3 possibilities, from what some of them seem to be a solution >> > from >> > > older struts versions. >> > > >> > > - Extend the RequestProcessor and do a programmatic security-check >> > > - Use a Filter to do the security check >> > > - Extend all Actions from a customized BaseAction, that does the >> > security >> > > check. >> > > >> > > But all of this seems a bit strange to me. As security is a >> > standard-problem >> > > in every webapplication and there are a lot of people who thought >> > about >> > > solutions (JAAS) I can´t believe, that I have to extend the >> > struts-framework >> > > myself to provide some security issues. >> > > >> > > So what would you recommend if you want to do a real secure >> > application with >> > > struts, together with tiles and want to be sure, that no pages or >> > actions are >> > > used without permission? And all of this independent, if I use a >> > Tomcat, a >> > > Resin or maybe a JBoss as my struts-web-server. >> > > >> > > Do you have any informations, examples or URL´s who have a real >> > solution to >> > > this? >> > > >> > > THank you very much >> > > >> > > Thomas >> > > >> > > --------------------------------------------------------------------- >> > > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > > For additional commands, e-mail: [EMAIL PROTECTED] >> > > >> > > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > For additional commands, e-mail: [EMAIL PROTECTED] >> > >> > >> >> >> -- >> When we invent time, we invent death. >> > > > > -- > When we invent time, we invent death. > > -- View this message in context: http://www.nabble.com/Best-way-to-secure-struts-webapps--tf2182171.html#a7555589 Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
