> -----Original Message-----
> From: Adam Lipscombe [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 17, 2004 11:02 AM
> To: 'Struts Users Mailing List'
> Subject: RE: Specifying JAAS permission on a per-action basis
>
> Many thanks Eric - its easy when you know how :-)
>
>
> I am interested to know why you chose this approach over the tagish /
> http://www.mooreds.com/jaas.html solution? Did you hit problems ?
>
I found the struts-config roles/controller a cleaner solution not requiring
all the configuration in the JAVA_HOME\jre\lib\security\*. And you also
have to keep a separate list of resources to protect a la:
grant Principal com.tagish.auth.TypedPrincipal "user" {
permission com.xor.auth.perm.URLPermission \
"/struts-example/editRegistration.do";
...
...
...
};
The above isn't bad, but we didn't need that much horsepower, nor do we do
authentication based on jaas, just the authorization part. I hate container
managed (user/jdbc realm based) authentication. IMO that should be used as a
replacement for Apache style htaccess authentication (which is what it is
intended for I believe) and develop application level authentication within
your own code / db.
>
> TIA - Adam
>
>
>
>
> -----Original Message-----
> From: Eric Dahnke [mailto:[EMAIL PROTECTED]
> Sent: 17 June 2004 15:33
> To: 'Struts Users Mailing List'
> Subject: RE: Specifying JAAS permission on a per-action basis
>
>
>
> I just did this, and found it extremely simple. I eventually
> went away from
> the tagish / http://www.mooreds.com/jaas.html solution.
>
> Three steps is all it takes:
>
> -1- add this to your struts-config
>
> <controller
>
> processorClass="com.ourcompany.portal.site.struts.action.Custo
> mRequestProces
> sor"/>
>
> -2- Code
>
> // The Struts Tiles plugin implements its own
> RequestProcessor, so if you
> want // to use your RequestProcessor alongside the Tiles'
> RequestProcessor,
> make // sure your processor extends TilesRequestProcessor instead of
> RequestProcessor public class CustomRequestProcessor extends
> TilesRequestProcessor {
>
> protected boolean processRoles(HttpServletRequest request,
> HttpServletResponse response,
> ActionMapping mapping)
> throws IOException, ServletException {
>
> // Is this action protected by role requirements?
> String roles[] = mapping.getRoleNames();
> if ((roles == null) || (roles.length < 1)) {
> return (true);
> }
>
> // Check the current user against the list of required roles
> HttpSession session = request.getSession();
> User user = (User) session.getAttribute("user");
>
> if (user == null) {
> response.sendRedirect("noSessionAvailable.do");
> return false;
> }
>
> for (int i = 0; i < roles.length; i++) {
> if (user.hasRole(roles[i])) {
> return (true);
> }
> }
>
> response.sendRedirect("errorNotAuthorized.do");
> return (false);
> }
>
> }
>
> -3- add roles attributes to your action elements in struts-config
>
> <action path="/billingInformationEdit"
> type="org.apache.struts.actions.ForwardAction"
> parameter="/pages/billingInformationEdit.jsp"
> roles="registeredUser"
> >
> <set-property property="secure" value="true"/>
> </action>
>
>
> HTH - Eric
>
>
> > -----Original Message-----
> > From: David Friedman [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, June 17, 2004 9:15 AM
> > To: Struts Users Mailing List
> > Subject: RE: Specifying JAAS permission on a per-action basis
> >
> > Pow2ACL http://pow2acl.sourceforge.net/index.html
> > might fit your JAAS high-end needs. It also integrates
> > with Struts.
> >
> > Regards,
> > David
> >
> > -----Original Message-----
> > From: Adam Lipscombe [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, June 17, 2004 9:02 AM
> > To: 'Struts Users Mailing List'
> > Subject: Specifying JAAS permission on a per-action basis
> >
> >
> > Folks,
> >
> >
> > I am using JAAS with the Tagish libraries to authenticate
> > users via a JDBC
> > lookup. This works.
> >
> >
> > What I need to do now is to specify permissions on an
> action-by-action
> > basis, but I am unclear about how this is achieved...
> >
> > Dan Moore's excellent tutorial at
> > http://www.mooreds.com/jaas.html shows an
> > example of setting permissions via a policy configuration
> > file ("Example 8.
> > Sample JAAS policy file").
> >
> > I have also read that its possible to specify permission
> via a "roles"
> > attribute on the action mapping definition in the struts-config.xml
> > file.
> >
> >
> > Does anyone know if these approaches to permission setting
> > are complimentary
> > or mutually exclusive?
> > Does anyone know which is the best?
> >
> > I would prefer to set the perms in struts-config if possible,
> > if only to
> > keep all the config in the same file. An example of setting
> > perms this way
> > would be great.
> >
> >
> >
> > TIA - Adam
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
