Win a copy of Building Blockchain Apps this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Liutauras Vilda
  • Knute Snortum
  • Bear Bibeault
Sheriffs:
  • Devaka Cooray
  • Jeanne Boyarsky
  • Junilu Lacar
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • salvin francis
Bartenders:
  • Tim Holloway
  • Piet Souris
  • Frits Walraven

Why the front controller changed from servlet to Filter?

 
Ranch Hand
Posts: 558
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thing is when I want to have basic authentication there should be some Servlet component which will have doGet, doPost methods which are constrained in web.xml.

Earlier ActionServlet being a servlet we are able to support/enable declarative security.

But now becuase we don't have servlet's we may need to comeup with a dummy Servlet to support/enable declarative security(basic).
 
Rancher
Posts: 43011
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why would you need a servlet for that? You don't configure a servlet's doGet or doPost method to be constrained, you configure GET or POST operations to a particular URL to be constrained. It's the servlet container's job to figure out which accesses need authentication, and which don't. So I'm not sure where you see the problem; can you elaborate?
 
Ranch Hand
Posts: 471
Mac OS X Hibernate Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why do you need a servlet? Declarative security works using url patterns, so there will be no need for a servlet. The only thing I know of that you need for a servlet is <security-role-ref> and this is done to override programatic security in the servlet itself.
 
Srinivasan thoyyeti
Ranch Hand
Posts: 558
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer,

When we want to have declarative security, in security constraint tag we specify two things url-pattern, methods for having a constrained request.

method(s) can be any of: GET, POST, HEAD, TRACE, PUT, DELETE

Hence the resource can only be a servlet and that too it should have corresponding methods like doGet, doPost, doHead, doTrace.

Earlier all projects using strusts version less than 2.0 have a default Servlet with all those methods defined. so its easy to setup declarative security as we already have a resource for having constrained requests.

Now projects using Struts 2.0, they do not have any default Servlet, so while configuring declarative security we don't have a servlet resource to get protected and hence we might have to come up with a dummyServlet for achieving that.

Does it makes any sense to you ?
 
Ulf Dittmer
Rancher
Posts: 43011
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure where you see the connection between URL patterns and servlets (or their methods).

As you said, the security declaration involves an url-pattern. What's behind that URL pattern (a servlet, or a mapped JSP, or a file or directory) is irrelevant.
 
Srinivasan thoyyeti
Ranch Hand
Posts: 558
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer,

constrained requests are based on both url-pattern and http method.

URL pattern + http method ---> constrained request.

httpMethod definitions DoGet, DoPost can only be found in Servlet.


So we can't have constrained request to any resource other than Servlet simply because they doesn't posses http-method definitions( doGet, doPost,etc.,).

Got my point ?
 
Alaa Nassef
Ranch Hand
Posts: 471
Mac OS X Hibernate Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually I believe that the http method here means what the browser sends, and not the handler in the servlet. I mean that putting a security constraint on post, means that this constraint is triggered when a user performs an HTTP_POST on the specified URL pattern, not when the doPost method is invoked.
 
Ulf Dittmer
Rancher
Posts: 43011
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Got my point ?


Yes, but it's wrong.

Using GET (or POST) implies that HTTP is used as the transport protocol. It does not imply anything about what handles HTTP at the server side. Where is the servlet if a static HTML page is requested?

Servlets can be mapped to URLs. That doesn't mean that there aren't other ways how to map resources to URLs; file system hierarchies being an obvious one.
 
author
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To answer your original question, we use a filter because we want to serve static files from jars, and that isn't possible via a servlet. More advanced tags, particularly the dojo-based ajax tags require images, CSS, and Javascript files, so we want to make those transparently available, while still allowing the application developer to have static Javascript, CSS, and image files served up on disk by the servlet container.
 
Srinivasan thoyyeti
Ranch Hand
Posts: 558
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks don.
but Ulf Dittmer , I want an web app example in which you have no servlet but have declarative security say basic security.

If you provide that I shall agree you point.
 
Alaa Nassef
Ranch Hand
Posts: 471
Mac OS X Hibernate Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear Srinivasan,

Declarative security gives authorization to certain roles to invoke certain HTTP methods on specific URL patterns. It has nothing to do with servlets, JSPs, Filters, static files or anything. The container manages those HTTP requests. If you send an HTTP_GET request to /my/pattern/file.xls, the container will see if this mapping has a security constraint on the HTTP_GET method. If it does, it will see your session to see if you are authenticated or not. If not, it will ask you for authentication. If authenticated, it will see if you are authorized or not. After all of this happens, and after making sure that you are authorized, the request is processed normally. If there are filters that have mappings that match this pattern, a filter chain is going to be created. If there is a servlet mapped to this pattern, the doGet method is invoked. If this is a static file, it will be sent to you.

Security is done before anything else. It has nothing to do with what (physically) is being secured, whether it is a servlet, or any other resource. If I send you a deployment descriptor, and tell you that it works, will you believe me blindly, or you'll have to try it yourself? We are telling you what is being done in the container. If you don't believe us, just try it yourself.
 
Ranch Hand
Posts: 193
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Originally posted by Srinivasan thoyyeti:
Thanks don.
but Ulf Dittmer , I want an web app example in which you have no servlet but have declarative security say basic security.

If you provide that I shall agree you point.



It is possible to define BASIC HTTP security declaratively on a webapp which has say only a jsp file (the jsp can be accessed with a URL pattern). As others have pointed out, the security is tied up to URL patterns and HTTP methods and not to the server side implementation of the URL and the associated HTTP method.
 
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

It is possible to define BASIC HTTP security declaratively on a webapp which has say only a jsp file


Ugly, but you can define the JSP to be a servlet, using the jsp-file tag in the servlet tag. Any common security mechanism can then be applied.
 
Ulf Dittmer
Rancher
Posts: 43011
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

you can define the JSP to be a servlet


True, but the point of this discussion was not that JSPs can be used instead of servlets; it was that web app security is independent of the kind of resource that's protected. That resource can be a servlet, it can be JSPs, it can be static HTML pages or anything else that someone might care to put into a servlet container.
 
Srinivasan thoyyeti
Ranch Hand
Posts: 558
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer,
Alaa Nassef ,
Reghu Ram Thanumalayan,

I am sorry for all my stupid comments.
I will not repeat this.
 
Trust God, but always tether your camel... to this tiny ad.
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!