Personally, I used to prefer container managed security, like what Tomcat provides ->
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html But found that I didn't like being forced into their database schema, so I started using ACEGI, which is now called Spring Security. There are some that don't like it, but I actually sort of like it. It's a very serious learning curve, but things have gotten quite a bit better than they used to be. I am even overriding more than a few of their stock services with my own so that I can provide a security system quite a bit more complex than what you normally get out of the box. In addition, Spring Security has annotations and custom tags so that you can really get granular with your setup. If you feel like you have a need for a sophisticated security framework, check it out. If you just want to protect a few pages/requests, then Spring Security is probably overkill. -Wes On Thu, Aug 20, 2009 at 4:24 PM, CRANFORD, CHRIS<chris.cranf...@setech.com> wrote: > > I am currently preparing the steps to port a legacy Struts1 application > to Struts2. The rewrite of the web application also includes a > transition from Tiles to Sitemesh along with the introduction of the > Spring and Hibernate frameworks. > > The authentication and security model used in the Struts1 application > was very simple and one of the pitfalls resulted in lack of overall > flexibility and ease of managing user roles and permissions. One of the > biggest goals of this rewrite process is to really spend a good chunk of > time looking at alternatives that make the most sense for what we're > trying to accomplish. > > The application is mainly a query-based tool for reporting a wide range > of data to a very large end user community. There are also > possibilities for gathering data from this user community and storing it > depending on specific business case needs. Since the user community > could span users that are customers, to in-house end users, site/local > management, and upper executive management, the options and data > presented to these users will need to vary. > > Is there any internal way within Struts2 that is recommended over > another to embed logic to support per-action/page security? Is there an > internal way to insure that the user is authenticated prior to servicing > the request? > > I've read about Interceptors versus using something like JAAS. Are > there benefits of one over another? I'd rather not introduce a new > framework atop of Spring and Hibernate given we're moving from Struts1 > to Struts2 and Tiles to Sitemesh. It is a learning curve and adding new > frameworks continues to agitate the issue. > > Thanks for everyone's feedback. > Chris > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > -- Wes Wannemacher Head Engineer, WanTii, Inc. Need Training? Struts, Spring, Maven, Tomcat... Ask me for a quote! --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
