aspose file tools*
The moose likes Struts and the fly likes Struts Security + Actions + Roles + Principal Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Struts Security + Actions + Roles + Principal" Watch "Struts Security + Actions + Roles + Principal" New topic
Author

Struts Security + Actions + Roles + Principal

Mazarin MINTSA
Greenhorn

Joined: Jul 12, 2003
Posts: 1
I know u are Guru of Struts , that's why i need ur help. I,m a
newbie.
I 'm involved in a Struts project where the is a need for security.
Here is a the application behave.
Fisrt, the user need to login into the intranet: he enter his user
name
and paasword. He accesses, who ever it is the Main Menu of the
intranet.
The is choses to enter my specific application. Then he enter
specific
parameter of my app with enables him to get a role. In addition
Username
+ Password + DataX + DataY + Year => a role.
I An example of role his supervisor, another else administrator,
another
else simple user.
In my sttruts action , un the action part, i put the roles allowed
per
action.
Now, how should manager my particular role to provide container
managed
security (if possible) . how should i used "Principal"
reauest.getUserPrincipal(), .
Or shall i write my own security , and how?
Jason Kosowan
Greenhorn

Joined: Sep 25, 2001
Posts: 9
I'm new to Struts as well but have managed to get a reasonable security setup put together. My first bit of humble advice is this:
*** don't write your own security layer ***
To do this would be more time than it would take you to learn about your application container's security features. Writing your own would also be less secure and less flexible than using the container. (This is not a slam - container security is taken seriously by most vendors and they spend the time to do it "full-on")
Ok, that being said... you must now decide on how you want your username/passwd to be stored. Containers usually give you the option of storage in a file or in a DB. If the usr/pwd are already predefined and unlikely to change, the file option might be easiest. But, if you want to be able to add/delete/change users on the fly from within the app, the JDBC option is most likely the best.
A word about the JDBC option: in this scenario, because the container (and not struts) will be checking usernames, it may be easier to do your connection pooling on the container level as well. Not that I've heard anything bad about the struts connection pool, but it may be more difficult to set up the container to read from an outside pool than from it's own.
A word about hashing: When storing the passwords, you may also want to store the hash of the password rather than the password itself. This ensures that the passwords are unreadable by anyone that is casually browsing the database or security file. Investigate if your container supports this and use it if it does.
Then, just decide what URL patterns / subdirectories you want protected, set them up, and away you go.
I hope this helps.
- JK
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Struts Security + Actions + Roles + Principal
 
Similar Threads
Don't understand defining roles in HFJS book
Webapp-Security chapter revision notes from HFSJ , may be useful
confused about security constraints and loginning in
Unauthenticatedidentity previliges - JBoss security
J2EE security through entire enterprise app