Just meant that I don't use other APIs/framework (JAAS, Acegi...) than what Struts 2 architecture offers. Of course I had to develop my own interceptors, but that's pretty straightforward.
-----Message d'origine----- De : Alvaro Sanchez-Mariscal [mailto:[EMAIL PROTECTED] Envoyé : jeudi 23 août 2007 18:22 À : Struts Users Mailing List Objet : Re: Authentication and Authorization in S2 What do you mean with "100% Struts 2 security"? As far I know, S2 does not have anything out-of-the-box regarding security. In my case, I had to manually develop a login action and an authentication interceptor. Alvaro. On 8/23/07, Arnaud Cogoluegnes <[EMAIL PROTECTED]> wrote: > I'm using 100% Struts 2 security: > - centralized store (simple Java class/XML config file) which maps roles > and actions > - interceptor if some user directly types the URL (based on the store) > - custom tag for showing/hiding links (based on the store) > > This protects only *actions* and not data (i.e. which roles can see which > rows in the database). > > > -----Message d'origine----- > De: wild_oscar [mailto:[EMAIL PROTECTED] > Envoyé: jeudi 23 août 2007 16:15 > À: user@struts.apache.org > Objet: Re: Authentication and Authorization in S2 > > > How about AA with Struts2 only? > > I'm trying to understand Authorization with JAAS, but I'm not being very > successeful. Authentication is taken care of, I use JAAS and a PostgreSQL > database to store users, passwords and roles. > > In the end of authentication, I store the subject in the HttpSession: > > HttpSession session = httprequest.getSession(); > session.setAttribute("subject_key", lc.getSubject()); > > Bare in mind I first tried this in Struts; this week I switched to Struts2. > Can anyone shed some light on the authorization part of the process with > Struts2? Namely: > > a) Does one ever need to configure web.xml with security details and roles, > for declarative security based on wildcards? > > or > b) Is security only achieved at the action level? > > c) How does one build JSP pages that have parts protected (say, a > form/button only available to certain roles)? > > Thank you for your help! > > Miguel, lost in Authorization > > > > Alvaro Sanchez-Mariscal wrote: > > > > I agree. You should first try Acegi. > > > > If your auth needs are very specific, you can always develop a custom > > interceptor. > > > > Alvaro. > > > > On 8/20/07, Zarar Siddiqi <[EMAIL PROTECTED]> wrote: > >> If you're using Spring, it's probably a great idea to use Acegi > >> Security to handle authentication/authorization. I can't think of > >> anything it can't do. > >> > >> http://www.acegisecurity.org/ > >> > >> There's also Berkano which doesn't do nearly as much as Acegi but can > >> handle most general AA problems: > >> > >> http://berkano.codehaus.org/ > >> > >> Zarar > >> > >> > >> On 8/20/07, Roberto Nunnari <[EMAIL PROTECTED]> wrote: > >> > Hi all. > >> > > >> > I need to implement Authentication and Authorization in > >> > a S2 web application, and before reinventing the wheel, I'd > >> > like to ask the list for hints and advice. > >> > > >> > 1) Is there built-in support in Struts2 for Authentication and > >> > Authorization? > >> > > >> > 2) What are the best practices for AA in S2? > >> > > >> > 3) Is JAAS be a practical way in S2? > >> > > >> > More details: > >> > - The application lets the users dynamically register as members > >> > - In the application, the members can be part of one of two or three > >> > groups (roles) > >> > - unauthenticated users can only view some global data > >> > - authenticated users can change some of their own data > >> > - authenticated users can view some of other members data > >> > - the authenticated users can add global content > >> > - authenticated users in more privileged roles can change some global > >> data > >> > - authenticated users in the admin role, can do anything > >> > > >> > Thank you. > >> > > >> > -- > >> > Robi > >> > > >> > > >> > --------------------------------------------------------------------- > >> > To unsubscribe, e-mail: [EMAIL PROTECTED] > >> > For additional commands, e-mail: [EMAIL PROTECTED] > >> > > >> > > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > > > -- > > Alvaro Sanchez-Mariscal Arnaiz > > Java EE Architect & Instructor > > [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > -- > View this message in context: > http://www.nabble.com/Authentication-and-Authorization-in-S2-tf4300234.html# > a12294512 > Sent from the Struts - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Alvaro Sanchez-Mariscal Arnaiz Java EE Architect & Instructor [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]