• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

Consulting Concepts about Security

 
Ranch Hand
Posts: 131
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dear Developers

the reason of this post is a consult and suggestions about this

1: is realm the unique way about security for struts???

2: how i can do this??
is normal when a user (included us) work with a web application, the browser
save the url in its history, so when the user log out the system, the url still
in the browser

so to avoid a smart user that wants avoid the log in (in the same computer), he maybe simplely see the url and
load any url, how http://.../app/someaction.do for example.

so how i can avoid this with security?
using roles?, if exist the role and the user is not validate this user should be forward
to the login page

i think that in any jsp file should appear this code
<logic resent role="" . .. . . . >
, it where should be declared or write it???,
in the jsp tile file (master template) or the jsp page which be included in the jsp tile.


is this correct or exist another better way??? (reason question 1)

if i am wrong in some part of the logic, please correct me

please share your knowledge and experiences

thanks so much for advance
 
Ranch Hand
Posts: 180
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

so to avoid a smart user that wants avoid the log in (in the same computer), he maybe simplely see the url and load any url, how http://.../app/someaction.do for example.


Hi Manuel,
This has to be checked programtically by the developer. You need to check for the login information on every ActionClass and allow the execute()to be executed if the user has come from the login page and thus not allow anyone to access your site like that.
if {
HttpSession session = request.getSession();
LoginForm loginForm = (LoginForm)session.getAttribute("loginForm");
EditUserForm edituserForm = (EditUserForm)form;

if ( (loginForm == null) || (loginForm.getUserid() == null) || (loginForm.getUserid().trim() == "") )
{
session.invalidate();
return mapping.findForward("login");
}
else if (edituserForm == null )
{
return mapping.findForward("error-edituser");
}
else
{
Do this
}
--------
Roles are also used for security.

[ November 13, 2006: Message edited by: RoshaniG Gopal ]
[ November 13, 2006: Message edited by: RoshaniG Gopal ]
 
Manuel Jordan
Ranch Hand
Posts: 131
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello RoshaniG

thanks for your reply

ok, thats work when the url end with an action "/url/..../someaction.do"

so i must repeat in each action class


and i guess that the really implementation of the execute method should implementented here

right???

ok, i aprecciate your help and its obvious this question, so how i can avoid repeat this code in each action class?? (i will try using AOP), but how did you do this???

now its is funny, check it this case please
i have the all jsp files out of the folder WEB-INF (inside of folder of course called jsp), but a smart user can simplely do this, play in the browser with the url (and guess the name jsp) and go through all the jsp files with the "list of directory"
how??
http://localhost:8080/app/jsp/

so instead that the smart user try to hack the url with some url ending with some action, its only charge

http://localhost:8080/app/jsp/insertions/worker/insertWorker.jsp
(after looking through the jsp folder of course)
of course that if the user try to run the file.jsp it call an action,
http://localhost:8080/app/insertWorkerAction.do
that should now has the validation login, but i hope that you can see my point

so how i can avoid this???

thanks so much for advanced
 
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One way to check for a valid login on every action without having to change the code in your Action class would be to put this code in a Servlet Filter. This option is only available if your Application Server supports J2EE V 1.4 or above. This link explains more about Servlet filters.
 
RoshaniG Gopal
Ranch Hand
Posts: 180
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Manuel,
You would only have to import the login form from where you want the login information of the user.
Merrill - I have not gone deeply through the link you sent but I wanted to ask, is this way of imposing security wrong? Is is not a simple way of achieving what we req?
 
Manuel Jordan
Ranch Hand
Posts: 131
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello

thanks both for your reply

Merrill: i used to work with tomcat and spring, but i want to do is (how testing) with AOP, so i cant use your option (cumbersome j2ee)

RoshaniG:

You would only have to import the login form from where you want the login information of the user.


yes, each action class

I wanted to ask, is this way of imposing security wrong? Is is not a simple way of achieving what we req?


a good question, i am agree

thanks for your time

regards
 
Merrill Higginson
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

is this way of imposing security wrong? Is is not a simple way of achieving what we req?



I'm afraid I don't understand the question entirely. Using a servlet filter to impose security constraints is certainly not "wrong". It's a valid way of handling the problem. What leads you to believe it's "wrong"? Once you understand how it works, it's quite simple to write and register a servlet filter.

You can certainly add code to each Action class, and that will work fine, but I'm naturally lazy and don't like the idea of changing every Action class. I'd much rather put the code in one place.
 
Manuel Jordan
Ranch Hand
Posts: 131
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Merrill

You can certainly add code to each Action class, and that will work fine, but I'm naturally lazy and don't like the idea of changing every Action class. I'd much rather put the code in one place.



yes , i am agree but...

sorry for my ignorance in this point, has any disadvantage working with realm???

which is better realm or filters and why???

thanks for advanced
 
RoshaniG Gopal
Ranch Hand
Posts: 180
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Merrill,
What i wanted to ask was that is the methodology to have the login info checked in all the ActionClasses to ensure that no action (or further Business Logic) is called for unauthentic requests.
 
Ranch Hand
Posts: 948
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have not responded yet because authentication is not one of my strong suits. A previous project that I worked on was mostly open pages that did not require a login, but there was a section where people could maintain their profile pages. All the actions for that section extended a common base class that checked for user data in the session and redirected to a login page if the user was not logged in.

My current project has various security settings defined in web.xml. I am a bit fuzzy on the details of how this works. I just know that the container/web server takes care of detecting that the user is logged in and if not it redirects them to the login page.

I would think that any of the three solutions [1) base action class, 2) filter (per Merrill's suggestion) or 3) web server configuration] would be better than copying code into every action class. Another option similar to #1 would be to create a custom ActionMapping class with a property that you can configure in struts-config and have a base action class that checked if the user was logged in if the property was turned on for the action.

- Brent
 
Merrill Higginson
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Manuel,

The term I would use for what you describe as "realm" is "container managed authentication", or Brent's option 3... Web Server configuration. If you are using container managed authentication, you have the option of specifying a "role" attribute in your action mapping that will restrict that action to authenticated users with the specified role. This is all done without any changes to code.

The filter approach that I describe above assumes you are not using container managed authentication. Sometimes container managed authentication just doesn't work for a particular project for whatever reason.

Each approach has its advantages and disadvantages. You'll just have to do your homework and decide which you want to use. I will say this much. Even though container managed authentication was supposed to make security easier, my experience is that it is neither simple nor easy to set up. If all you want to do is verify that the user is logged on before being able to perform an action, I'd recommend using your own login page and writing a simple filter to check for a valid login with each page. It's much simpler than dealing with container managed authentication.
[ November 20, 2006: Message edited by: Merrill Higginson ]
 
Manuel Jordan
Ranch Hand
Posts: 131
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Merrill

and thanks for the reply

You'll just have to do your homework and decide which you want to use.


really is not a homework, i only want an explanation of concepts based in your own experience.

I'd recommend using your own login page and writing a simple filter to check for a valid login with each page. It's much simpler than dealing with container managed authentication.


your suggestion is aprecciate and i will follow that

how comentary, acegi , a security framework, can be used with realm.
and acegi is used for spring

thanks for your time.

regards
[ November 20, 2006: Message edited by: Manuel Jordan ]
 
Merrill Higginson
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

how comentary, acegi , a security framework, can be used with realm.
and acegi is used for spring


I'm afraid I can't help you there. I haven't heard of either of these frameworks.
 
Ranch Hand
Posts: 133
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There's an org.apache.struts.action.RequestProcessor that can be extended to place your own role checking. It's called before every action and corresponds to the role attribute within the action mappings. It works quite well.
 
Manuel Jordan
Ranch Hand
Posts: 131
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello graham

good tip!!!, if you know a good tutorial in the web, pls share the link

regards
 
Well THAT's new! Comfort me, reliable tiny ad:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic