Thank you Craig, that's very helpful to understand. There are two things I was hoping to accomplish with Container Managed Security.
1. Ensuring that a user is logged in before serving up protected pages. I believe this is handled easily by using a Servlet Filter to check for a required session object (like username), similar to the example provided by Kito Mann in JSF in Action. 2. Protecting certain parts of the site based on a user's role. This is where I'm having difficulty. Among Shale/JSF programmers, is there a popular/best practice for implementing this requirement? Any advice would be appreciated. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig McClanahan Sent: Friday, March 03, 2006 4:52 PM To: Struts Users Mailing List Subject: Re: Shale & Container Managed Security On 3/3/06, James Reynolds <[EMAIL PROTECTED]> wrote: > > Allow me to refine my question. I'm wondering if the Shale filter is > intercepting requests to the container. Do I need to adjust the > filter mapping? Is there an FM somewhere that I should R? Shale's filters do indeed intercept whatever requests it is mapped to, but there are two important things to understand with respect to container managed security: * Container managed security is applied *before* any filters (including the one that Shale provides). * Container managed security is applied *only* on the initial request, not on RequestDispatcher.forward() calls. In JSF (and therefore Shale) apps, that means you can protect the incoming form submits (they will be mapped to something like "/editCustomer.jsf" if you are using extension mapping, and the page being submitted was "/editCustomer.jsp"). The second issue means that it is your application's responsibility to decide whether or not the user should be allowed to navigate to a particular page. Container managed security won't help you there. That being said, it might be interesting for Shale to deliver a custom JSF navigation handler that would optionally impose that sort of control ("only a manager can navigate to the salary details page"). Craig -----Original Message----- > From: James Reynolds [mailto:[EMAIL PROTECTED] > Sent: Friday, March 03, 2006 3:02 PM > To: Struts Users Mailing List > Subject: Shale & Container Managed Security > > > I'm a newbie setting up container managed security for a basic > Shale-blank application. For my first attempt, I'm trying a simple > BASIC authentication but I'm having troubles so I'm trying to rule out > the unknowns. > > My question for this list is, does Shale have an impact on traditional > Container Managed Security Methods? > > Thanks > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
