• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Struts with security how to question

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,Guys:
I have a project to start,backgroud is:
1)webshpere5.0+struts1.1+Oracle9i(without EJB),pure web
2)we want implement function-level user check(senario: when user who has logined in and want to perform one function from webpage, our application,actually is servlet need check user name with user database and get role, then decide user can do it or not?
I know some ways:
1)use jndi;
2)override RequestProcessor.processRoles() method;
3)check user at business method (POJO);
My question is which one is better?for instance 1,2,3 how to do them?
Thanks for reply as soon as possible
Jack Dan
 
author
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You've got plenty of options to choose from. IMO security is a business requirement, and therefore should be dealt with in the business layer. Another way to look at is ... If I were to switch to a command-line UI, would I loose functionality. Most times the answer to this question is to do security in the business layer. However, not every project needs to be a multi-layer architecture. If its a small project then you can consider doing it in the web layer.

Here are some options

In the web layer �
a) You can secure a Struts action mapping using the role attribute. You can either use your container's role definitions (in web.xml), or point it to your own
b) You can protect areas on a page by using the role attribute on a tile definition
c) You can protect a field using the role attribute on a present tag
d) The RequestProcessor

The choices on (a), (b),(c) are matter of granularity. Each of these are addressed in Struts Recipes (Manning)

In the business layer �
i) EJB: If you are using EJB, then you can secure using J2EE security on the bean or method level. You can use a SSB (with local interfaces if the architecture is collocated) to provide security. WebSphere allows you to use LDAP or whatever you want
ii) Spring Framework: Spring use Aspect Orientated Programming (AOP) to provide security
iii) AOP: If you don't want to use Spring, then you can use AOP on its own.
iv) Java Dynamic Proxies: Java supports the something like AOP, but uses reflection to intercept a call to a method. You would then combine this with a call to your security service
v) roll your own

All of my large projects have been done with (i) EJB, but I'm starting to become serious about (ii) Spring.
[ February 01, 2005: Message edited by: George Franciscus ]
 
jack dan
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
George:
Tks for help.I understand using deployment descreption attribute to manage auther and author(like web.xml),But I don't know how to connected that with user account management system which stored in oracle database?Could u tell me more detail?
TKS
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic