Here are my thoughts [based on my experience with Websphere but I hope they can be generalized): 1- Using session for users's authentication is not a very good idea esp if there is a chance that they may have multiple browser or tabs open at the sametime. there is a great chance of session mix-ups. However; if you are , for some reason or another, pressed to use http session, make sure that you use url rewriting instead of cookies for session tracking[ Websphere also allows a thrid way to use ssl ids for this purpose if you use ssl]. To do so you do not need to change your code, you need to change container settings. 2- Applying security using JASS or realm is a web-container setting not struts 2. You need to do two things: a) Enable the security of your container (server) to use a registery for authentication (LDAP,OS,...). Note that some servers like websphere allow you to extend its capability to use a custome registery (say database for this purpose) b) Change your web.xml and application.xml (add security constraints and roles and ...). Once it is done. It does not matter u use struts 2 or struts 1 or anyother framework. At logging (first access) users get chanllenged. In my case, to avoid using session for authentication, I am using an interceptor to retrieve user role and other information on each request. Note that once a user is logged in (assuming you use single signon), users' credentials (login name) are cached by the server and at each request you can retrieve it using request.getRemoteUser(). So you can rid of session by paying a very slight overhead of retriving all necessary information at each request using an interceptor. regards,
----- Original Message ---- From: hns <[EMAIL PROTECTED]> To: user@struts.apache.org Sent: Friday, July 11, 2008 8:17:54 AM Subject: about security hi i have successfully converted and deployed struts 2.0.11 application to client but still have some security questions because i have less knowledge of jaas ,realm or role based security i have done authentication using query fire in database for user name and password when user authenticated i have stored his user name and user id and user type (admin,executive,branch head) in session problems 1. users can login from diff node or diff explorer n with same user name ,how to solve it 2. how can i apply realm or jaas in struts 2.0.11 please help me ,i am waiting for favorable reply -- View this message in context: http://www.nabble.com/about-security-tp18402549p18402549.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __________________________________________________________________ Get the name you've always wanted @ymail.com or @rocketmail.com today! Go to http://ca.promos.yahoo.com/jacko/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
