aspose file tools*
The moose likes Struts and the fly likes secure access and struts Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "secure access and struts" Watch "secure access and struts" New topic
Author

secure access and struts

Faisal Khan
Ranch Hand

Joined: Jun 29, 2003
Posts: 285
Hello,
I have an app with secure areas that can only be accessed by the authenticated users, for example, localhost:8080/v2/pcp/newQuote link is only given once the user has logged in. However, if I type this link into browser, I can at the moment get to it without logging in.
The entry in the struts-config.xml at the moment is:

In a non struts environment, I used to check for the presence of a session with the userID stored.
Can someone point me in the right direction please on how to achieve the same in struts.
FK


The secret to creativity is knowing how to hide your sources.
Chris Mathews
Ranch Hand

Joined: Jul 18, 2001
Posts: 2712
A flexible and easy way to implement these types of security requirements is with a Servlet Filter. The authenticated user information can then be bound in a ThreadLocal for easy access to any code that needs it, just be sure to have your filter clean up the ThreadLocal when the request is on its way out since your application will be running in a thread pool controlled and managed by the Application Server.
[ February 12, 2004: Message edited by: Chris Mathews ]
Faisal Khan
Ranch Hand

Joined: Jun 29, 2003
Posts: 285
Chris - Thanks for the answer. Is it not possible to achieve that kind of secure access with Struts itself or are Filters simply a better choice here? Using filters would mean adding each secure resource to the web.xml in addition to the struts-config.xml, is that right?
Prakash Dwivedi
Ranch Hand

Joined: Sep 28, 2002
Posts: 452
Using filters would mean adding each secure resource to the web.xml in addition to the struts-config.xml, is that right?
depeneds, either u can have one generic filter which intercepts all the requests or u can add urls of all the secure locations in the web.xml and map them to your filter.
As you are using struts you can use RequestProcessor, Here u can check if the user is asking for secure site. If so check for User Id in the session.


Prakash Dwivedi (SCJP2, SCWCD, SCBCD)
"Failure is not when you fall down, Its only when you don't get up again"
Faisal Khan
Ranch Hand

Joined: Jun 29, 2003
Posts: 285
Originally posted by Prakash Dwivedi:
Using filters would mean adding each secure resource to the web.xml in addition to the struts-config.xml, is that right?
depeneds, either u can have one generic filter which intercepts all the requests or u can add urls of all the secure locations in the web.xml and map them to your filter.
As you are using struts you can use RequestProcessor, Here u can check if the user is asking for secure site. If so check for User Id in the session.


Just to elaborate on the above, I understand the aspect of chaining or not of the filters BUT I am not to keen on adding all the url's that should be checked for the presence of a valid session from within the web.xml.
I like the idea of being able to use the RequestProcessor from within struts config but not sure how that would work, can someone please tell me more about this.
Thanks.
Jason Cox
Ranch Hand

Joined: Jan 21, 2004
Posts: 287
Just a thought.
I have an application with secured and unsecured pages.
In order to easily transition between the two, I created a SecureActionInterface that all secured pages must implement.
The methods are simple enough. There is a getCurrentUser() method which checks the requesting user's authentication from the persistence layer. This could be anything. HTTP Session, EJB, straight from the database, take your pick.
The other method is a checkUserLogin() which simply looks over the user information (once we've called getCurrentUser) to make sure they have a valid login. The user might be valid in the system, but that doesn't mean they've properly logged in. If the checkUserLogin() method cannot validate the user or validate their login, they're kicked back to a login screen.
It's really quite simple to implement. The only real trick is finding a way to ensure developers who might follow you understand that certain pages must be secured and why. I've also considered an abstract implementation for classes that routinely use the same method implementation of the SecureActionInterface.
Junilu Lacar
Bartender

Joined: Feb 26, 2001
Posts: 4462
    
    6

You can use one url pattern to access secure resources and another to access unsecured resources. In our project, all our secure resources are accessed through /ourapp/secure/*.do (go figure). Then we set up one filter for this url pattern. Any /ourapp/*.do urls are unsecured and are not filtered.
HTH


Junilu - [How to Ask Questions] [How to Answer Questions]
Faisal Khan
Ranch Hand

Joined: Jun 29, 2003
Posts: 285
Thank you guys for all your ideas and feedback.
I was under the impression there will be something more inherent in Struts which takes care of this, I guess I will go with the idea of appending /secure/ and then using a filter to check whether access should be granted.
Thanks again.
Prakash Dwivedi
Ranch Hand

Joined: Sep 28, 2002
Posts: 452
Hi Faisal
To use request processor add this line in strutsconfig.xml
<controller className="org.apache.struts.config.ControllerConfig" inputForward="true" debug="1" processorClass="com.trs.config.CustomRequestProcessor"/>

create a class CustomRequestProcessor which extends org.apache.struts.action.RequestProcessor.
All the requests to ur strus application will pass through this. U can check if the request is for secure site, and if so you can check for
user id in the session.
Ngo Thanh Hien
Greenhorn

Joined: Mar 23, 2003
Posts: 5
You should use Form based authentication (J2EE specification). This will help you protect your application by URL


webservice
Saeed Amer
Ranch Hand

Joined: Jan 20, 2004
Posts: 140
I am new to Struts and J2EE and I found the discussion pretty interestig and informative! I liked Rob's idea better.
Question for : Ngo Thanh Hien
If the answer could be brief, how can we implement "Form Based Authentication" (as per J2EE Spec)?
TIA
Amer
Faisal Khan
Ranch Hand

Joined: Jun 29, 2003
Posts: 285
Originally posted by Ngo Thanh Hien:
You should use Form based authentication (J2EE specification). This will help you protect your application by URL

Ngo,
We do have form based authentication, the discussion was more about securing certain resources. For example, once you have successfully logged in and see a url of the form: www.somedomain.com/do/quote - you send this url to a friend, they should not be able to access this resource and request for this resource should give them either a login page or access denied error. We were discussing ways to achieve this in the Struts environment.
I hope I understood what you meant.
Regards
FK
Ngo Thanh Hien
Greenhorn

Joined: Mar 23, 2003
Posts: 5
same in Struts environment. if you use Form based authentication, then you not lost time to coding, design database .... Further if your application is full J2EE (included EJB component), you also protect your EJB business method with method permisions. The login user may be at your OS level or LDAP.
I don't know which your Server but if you use WebSphere then it support more with liked way authentication. (When session time out, the application server dynamic forward user to login page).
- In order to do form based authentication you should
1, (in web.xml)define security role, mapping these role with protect URL pattern
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminResource</web-resource-name>
<description></description>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/logerr.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Administrator</description>
<role-name>Admin</role-name>
</security-role>
2, in (ejb-jax.xml) you should define same security roles as in web.xml, and method permision (see EJB specification for detail)
3, in application.xml (EAR project) you also define security roles same as web.xml and ejb-jar.xml and mapping these roles with specific users or groups (on OS for example)
If you do that, then when you request URL for example http://your_context/admin/* you will be forwarded to login page. Note (login.jsp above contain 2 input fields with fixed name j_username/j_password and action url fixed j_security_check). When you input correct account the request URL will be done
Hope this help you
Sanjay V Jadhav
Greenhorn

Joined: Dec 08, 2004
Posts: 2
Hi,
I have a common problem here... i.e. I could not switch the protocol back to http after https transaction completes. I tried using web.xml and added login page there with (as mentioned by 'Ngo Thanh Hien' in his message). but does not work. I tried another way, added added https protocol to the url for login button 'action' and after loginComplete reverted back to "http" and send to ActionForward (struts api) with flag true (assume this needs full url to redirect). This works fine but in case i have relative url, it fails.
Any one knows better idea...?
Thanks in advance.
-Sanjay
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: secure access and struts