I'm using 100% Struts 2 security: - centralized store (simple Java class/XML config file) which maps roles and actions - interceptor if some user directly types the URL (based on the store) - custom tag for showing/hiding links (based on the store)
This protects only *actions* and not data (i.e. which roles can see which rows in the database). -----Message d'origine----- De : wild_oscar [mailto:[EMAIL PROTECTED] Envoyé : jeudi 23 août 2007 16:15 À : user@struts.apache.org Objet : Re: Authentication and Authorization in S2 How about AA with Struts2 only? I'm trying to understand Authorization with JAAS, but I'm not being very successeful. Authentication is taken care of, I use JAAS and a PostgreSQL database to store users, passwords and roles. In the end of authentication, I store the subject in the HttpSession: HttpSession session = httprequest.getSession(); session.setAttribute("subject_key", lc.getSubject()); Bare in mind I first tried this in Struts; this week I switched to Struts2. Can anyone shed some light on the authorization part of the process with Struts2? Namely: a) Does one ever need to configure web.xml with security details and roles, for declarative security based on wildcards? or b) Is security only achieved at the action level? c) How does one build JSP pages that have parts protected (say, a form/button only available to certain roles)? Thank you for your help! Miguel, lost in Authorization Alvaro Sanchez-Mariscal wrote: > > I agree. You should first try Acegi. > > If your auth needs are very specific, you can always develop a custom > interceptor. > > Alvaro. > > On 8/20/07, Zarar Siddiqi <[EMAIL PROTECTED]> wrote: >> If you're using Spring, it's probably a great idea to use Acegi >> Security to handle authentication/authorization. I can't think of >> anything it can't do. >> >> http://www.acegisecurity.org/ >> >> There's also Berkano which doesn't do nearly as much as Acegi but can >> handle most general AA problems: >> >> http://berkano.codehaus.org/ >> >> Zarar >> >> >> On 8/20/07, Roberto Nunnari <[EMAIL PROTECTED]> wrote: >> > Hi all. >> > >> > I need to implement Authentication and Authorization in >> > a S2 web application, and before reinventing the wheel, I'd >> > like to ask the list for hints and advice. >> > >> > 1) Is there built-in support in Struts2 for Authentication and >> > Authorization? >> > >> > 2) What are the best practices for AA in S2? >> > >> > 3) Is JAAS be a practical way in S2? >> > >> > More details: >> > - The application lets the users dynamically register as members >> > - In the application, the members can be part of one of two or three >> > groups (roles) >> > - unauthenticated users can only view some global data >> > - authenticated users can change some of their own data >> > - authenticated users can view some of other members data >> > - the authenticated users can add global content >> > - authenticated users in more privileged roles can change some global >> data >> > - authenticated users in the admin role, can do anything >> > >> > Thank you. >> > >> > -- >> > Robi >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > For additional commands, e-mail: [EMAIL PROTECTED] >> > >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > -- > Alvaro Sanchez-Mariscal Arnaiz > Java EE Architect & Instructor > [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Authentication-and-Authorization-in-S2-tf4300234.html# a12294512 Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
