Bob CHOI

Ranch Hand
+ Follow
since Nov 10, 2006
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by Bob CHOI

if security mechanism is concerned simply with authentication(A) and authorization(A), the scenarioes below demostrate how the basics work.

assumption:

- client access to "hello.jsp" is required to be AAed
- hello.jsp is located under web app root "myapp"
- Tomcat has created a few default user-password-role mapping, we'll use the one "tomcat-tomcat-tomcat"

hello.jsp:



web.xml config-1:



call flow:

1. client requesting http://localhost/myapp/hello.jsp
2. server asking for authentication
3. client popping up authentication window
4. user typing "tomcat", "tomcat"
5. client requesting http://localhost/myapp/hello.jsp with encoded authentication info
6. server verifying and authorizing the access
7. "hello tomcat" returning to client

web.xml config-2: use "*" for permitting all roles

except from servlet spec p143 $17

"The auth-constraint indicates the user roles that should be permitted access to this resource collection."

- Did the servlet intend to send 403?
- If not, restart the browser you'll get through, "*" means all user roles are allowed to gain access to those resources you mean.
- add declaratives below to web.xml, then authentication will pop up

[ January 14, 2007: Message edited by: Bob CHOI ]
Hi Jasiek

Sorry, i was mistaked about "rtexprvlaue" - it's all about attribute. The behavior on both code snippets might actually depend on "body-content" setting on c:set and jsp:attribute.

"body-content" has four optional values:
- empty
- scriptless
- jsp
- tagdependant

Therefore, "body-content=tagdependant" could cause them to act "irregually" till we find out how the tag handlers work accordingly.
Hi Jasiek

jsp:attribute might declare not accepting ELed stuff providing that it had used declarative "rtexprvalue=false".

Howerver the problem on the 2nd code snippet seems strange to me, too.
Go on with "dynamic" attribute a little bit below

tag form 3: dynaAttrName="value"
converted to: javax.servlet.jsp.tagext.DynamicAttributes:setAttribute(namespace,dynaAttrName,value),
inside the setter, we can code below,

{
pageContext.setAttribute(dynaAttrName,value,PageContext.REQUEST_SCOPE);
}

tag form 4: dynaAttrName="${name}"
converted to: javax.servlet.jsp.tagext.DynamicAttributes:setAttribute(namespace,dynaAttrName,value=getValue(name)),
inside the setter, we can code similar to above.
let's explore how tag handler classes use setter to deal with attributes.

tag form 1: attribute="name"
converted to: setAttribute(name),
inside the setter, we can code below,

{
name instanceof String?this.value=getValue(name):throw new Exception();
}

tag form 2: attribute="${name}"
converted to: setAttribute(value=getValue(name)),
inside the setter, we can code below,

{
this.value=value;
}

In the handlers we can continue set/get properties of value normally if it is bean object, otherwise an exception is thrown.
[ January 12, 2007: Message edited by: Bob CHOI ]
The "target" attribute may accept ELed/expressed value when "rtexprvalue" is turned on in tld. "Unforturnately" here it IS the case.
We can use jsp:bean to create any type, which has non-parameterized constructor i assume. If such type without public setter, not so much pratical use can be foreseen since its object state is unable to be updated by standard action or jstl. Right?
just once more tiny try, i see: jsp:useBean actually does "tag:useObject" 2!!!
In jsp, we can use jsp:useBean to create a bean object.

Can we create other type of object with standard action or jstl than scripting e.g. <% request.setAttribute("name", new Object()) %>?

Probably we have to write our own custom tag "tag:useObject" for it, do we? :roll:
tag hanlder class InnerTag



[ January 12, 2007: Message edited by: Bob CHOI ]
[ January 12, 2007: Message edited by: Bob CHOI ]
tag handler class OuterTag

tld