• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Tim Cooke
  • Devaka Cooray
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
Bartenders:
  • Carey Brown
  • Roland Mueller

secure access and struts

 
Ranch Hand
Posts: 285
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,
I have an app with secure areas that can only be accessed by the authenticated users, for example, localhost:8080/v2/pcp/newQuote link is only given once the user has logged in. However, if I type this link into browser, I can at the moment get to it without logging in.
The entry in the struts-config.xml at the moment is:

In a non struts environment, I used to check for the presence of a session with the userID stored.
Can someone point me in the right direction please on how to achieve the same in struts.
FK
 
Ranch Hand
Posts: 2713
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A flexible and easy way to implement these types of security requirements is with a Servlet Filter. The authenticated user information can then be bound in a ThreadLocal for easy access to any code that needs it, just be sure to have your filter clean up the ThreadLocal when the request is on its way out since your application will be running in a thread pool controlled and managed by the Application Server.
[ February 12, 2004: Message edited by: Chris Mathews ]
 
Faisal Khan
Ranch Hand
Posts: 285
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Chris - Thanks for the answer. Is it not possible to achieve that kind of secure access with Struts itself or are Filters simply a better choice here? Using filters would mean adding each secure resource to the web.xml in addition to the struts-config.xml, is that right?
 
Ranch Hand
Posts: 452
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Using filters would mean adding each secure resource to the web.xml in addition to the struts-config.xml, is that right?
depeneds, either u can have one generic filter which intercepts all the requests or u can add urls of all the secure locations in the web.xml and map them to your filter.
As you are using struts you can use RequestProcessor, Here u can check if the user is asking for secure site. If so check for User Id in the session.
 
Faisal Khan
Ranch Hand
Posts: 285
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Prakash Dwivedi:
Using filters would mean adding each secure resource to the web.xml in addition to the struts-config.xml, is that right?
depeneds, either u can have one generic filter which intercepts all the requests or u can add urls of all the secure locations in the web.xml and map them to your filter.
As you are using struts you can use RequestProcessor, Here u can check if the user is asking for secure site. If so check for User Id in the session.



Just to elaborate on the above, I understand the aspect of chaining or not of the filters BUT I am not to keen on adding all the url's that should be checked for the presence of a valid session from within the web.xml.
I like the idea of being able to use the RequestProcessor from within struts config but not sure how that would work, can someone please tell me more about this.
Thanks.
 
Ranch Hand
Posts: 287
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just a thought.
I have an application with secured and unsecured pages.
In order to easily transition between the two, I created a SecureActionInterface that all secured pages must implement.
The methods are simple enough. There is a getCurrentUser() method which checks the requesting user's authentication from the persistence layer. This could be anything. HTTP Session, EJB, straight from the database, take your pick.
The other method is a checkUserLogin() which simply looks over the user information (once we've called getCurrentUser) to make sure they have a valid login. The user might be valid in the system, but that doesn't mean they've properly logged in. If the checkUserLogin() method cannot validate the user or validate their login, they're kicked back to a login screen.
It's really quite simple to implement. The only real trick is finding a way to ensure developers who might follow you understand that certain pages must be secured and why. I've also considered an abstract implementation for classes that routinely use the same method implementation of the SecureActionInterface.
 
Sheriff
Posts: 17665
300
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can use one url pattern to access secure resources and another to access unsecured resources. In our project, all our secure resources are accessed through /ourapp/secure/*.do (go figure). Then we set up one filter for this url pattern. Any /ourapp/*.do urls are unsecured and are not filtered.
HTH
 
Faisal Khan
Ranch Hand
Posts: 285
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you guys for all your ideas and feedback.
I was under the impression there will be something more inherent in Struts which takes care of this, I guess I will go with the idea of appending /secure/ and then using a filter to check whether access should be granted.
Thanks again.
 
Prakash Dwivedi
Ranch Hand
Posts: 452
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Faisal
To use request processor add this line in strutsconfig.xml
<controller className="org.apache.struts.config.ControllerConfig" inputForward="true" debug="1" processorClass="com.trs.config.CustomRequestProcessor"/>

create a class CustomRequestProcessor which extends org.apache.struts.action.RequestProcessor.
All the requests to ur strus application will pass through this. U can check if the request is for secure site, and if so you can check for
user id in the session.
 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You should use Form based authentication (J2EE specification). This will help you protect your application by URL
 
Ranch Hand
Posts: 140
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am new to Struts and J2EE and I found the discussion pretty interestig and informative! I liked Rob's idea better.
Question for : Ngo Thanh Hien
If the answer could be brief, how can we implement "Form Based Authentication" (as per J2EE Spec)?
TIA
Amer
 
Faisal Khan
Ranch Hand
Posts: 285
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Ngo Thanh Hien:
You should use Form based authentication (J2EE specification). This will help you protect your application by URL


Ngo,
We do have form based authentication, the discussion was more about securing certain resources. For example, once you have successfully logged in and see a url of the form: www.somedomain.com/do/quote - you send this url to a friend, they should not be able to access this resource and request for this resource should give them either a login page or access denied error. We were discussing ways to achieve this in the Struts environment.
I hope I understood what you meant.
Regards
FK
 
Ngo Thanh Hien
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
same in Struts environment. if you use Form based authentication, then you not lost time to coding, design database .... Further if your application is full J2EE (included EJB component), you also protect your EJB business method with method permisions. The login user may be at your OS level or LDAP.
I don't know which your Server but if you use WebSphere then it support more with liked way authentication. (When session time out, the application server dynamic forward user to login page).
- In order to do form based authentication you should
1, (in web.xml)define security role, mapping these role with protect URL pattern
<security-constraint>
<web-resource-collection>
<web-resource-name>AdminResource</web-resource-name>
<description></description>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/logerr.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Administrator</description>
<role-name>Admin</role-name>
</security-role>
2, in (ejb-jax.xml) you should define same security roles as in web.xml, and method permision (see EJB specification for detail)
3, in application.xml (EAR project) you also define security roles same as web.xml and ejb-jar.xml and mapping these roles with specific users or groups (on OS for example)
If you do that, then when you request URL for example http://your_context/admin/* you will be forwarded to login page. Note (login.jsp above contain 2 input fields with fixed name j_username/j_password and action url fixed j_security_check). When you input correct account the request URL will be done
Hope this help you
 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I have a common problem here... i.e. I could not switch the protocol back to http after https transaction completes. I tried using web.xml and added login page there with (as mentioned by 'Ngo Thanh Hien' in his message). but does not work. I tried another way, added added https protocol to the url for login button 'action' and after loginComplete reverted back to "http" and send to ActionForward (struts api) with flag true (assume this needs full url to redirect). This works fine but in case i have relative url, it fails.
Any one knows better idea...?
Thanks in advance.
-Sanjay
 
I don't always make ads but when I do they're tiny
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic