aspose file tools*
The moose likes Struts and the fly likes another question to authors Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "another question to authors" Watch "another question to authors" New topic
Author

another question to authors

bas duijzings
Ranch Hand

Joined: Apr 07, 2004
Posts: 83
Hi,

Do you describe anything about the requestprocessor, overwriting it etc ? When I look at the table of contents it does not really mention this.

regards,
baz


have a nice one
friso dejonge
Ranch Hand

Joined: Jul 11, 2002
Posts: 162
he baz,
long time mate, but take a look at chapter 7 which is downloadable, this may answer your question.
(http://www.manning-source.com/books/franciscus/franciscus_chp7.pdf)
cheers,
friso


swimming certificate (A & B), shoelaces diploma, and some useless java ones.
Marc Peabody
pie sneak
Sheriff

Joined: Feb 05, 2003
Posts: 4727

The Internationalization chapter may cover the topic, as the RequestProcessor class is mentioned in the chapter's description.

(looks like friso beat me to the post)
[ January 25, 2005: Message edited by: Marc Peabody ]

A good workman is known by his tools.
George Franciscus
author
Ranch Hand

Joined: Jan 25, 2005
Posts: 32
There is no recipe on how to override the RequestProcessor per se. However, we do show you how to do that in the context of a problem you want to solve. There is a recipe on how override the RequestProcessor to use your own security mechanism to secure action mappings (recipe 7.5 Customized action mapping security). If you need to override the RequestProcessor for some other reason, this recipe will show you how to do that. That recipe is available for download in chapter 7.

Other than that, we talk about the RequestProcess a lot. Its mentioned whenever its useful to explain how things work.


George Franciscus<br />george.franciscus@nexcel.ca<br /><a href="http://www.nexcel.ca" target="_blank" rel="nofollow">http://www.nexcel.ca</a><br /><a href="http://www.manning.com/franciscus" target="_blank" rel="nofollow">http://www.manning.com/franciscus</a>
bas duijzings
Ranch Hand

Joined: Apr 07, 2004
Posts: 83
wow, that is some chapter. However one thing is a concern on the security part of this. Maybe this is outside the scope of the book, but it would be nice if we could discuss...

The username and password in the tomcat-users.xml are hardcoded and visible to anyone who has access from the inside. To me this sounds like storing unhashed passwords in a flat file which is a danger.
Also how can you add users interactively, are there any tools, api's or do you have to write them yourselves.

To bypass this my solution would be to store the usernames and passwords in the database and get the userrole when the user logs in. This also comes from the database. Then in the processroles you just check if the user has the same role (in the session) as what is needed for an action.

Am I still making sense, anyone wants to comment on this ?
George Franciscus
author
Ranch Hand

Joined: Jan 25, 2005
Posts: 32
I'm not a Tomcat expert, so I can't comment on external tools to add user/id pwd. However, I would agree with you that its not a good idea to keep clear text user info in a flat file.

A better approach is to wire up another security framework (i.e LDAP). I *think* I read that you can wire Tomcat to some other security framework, but a cursory search through the tomcat documentation reveals nothing.

If there is no way to wire up Tomcat to another security framework, then you can use the 7.5 Customized action mapping security recipe to do it through Struts.

A easy way to encrypt the password is to use the Java Cryptography Extension (JCE) API. When the user registers a password, you use JCE to do a one way hash. You store the hashed password in the database. When the user authenticates, you hash what they entered and compare it the stored value in the database. This way nobody knows the value of the password (even the DBA) except for the user. To protect the password from a dictionary attack, you prepend (or suffix) it with a constant (random text is best) - a technique called salting. There is a great article on developerworks on this.

http://www-128.ibm.com/developerworks/edu/j-dw-javasec1-i.html
bas duijzings
Ranch Hand

Joined: Apr 07, 2004
Posts: 83
I'm not a Tomcat expert, so I can't comment on external tools to add user/id pwd. However, I would agree with you that its not a good idea to keep clear text user info in a flat file.
A better approach is to wire up another security framework (i.e LDAP). I *think* I read that you can wire Tomcat to some other security framework, but a cursory search through the tomcat documentation reveals nothing.


I think i found it in the tomcat 5.5 documentation. This seems to answer my questions. http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JDBCRealm
can connect to a database and get the roles from there. So there must be a way to get them encrypted with this as well.

thanks for the pointer.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: another question to authors