Reputation: 11
How to implement Role Based Access Control with Authentication and Session Management in Struts2?
I would like to implement role based access control in my Struts2.3 application to make it secure.
Below are the features I am looking for:
- User Authentication and Session Management with Session Timeout.
- Authorization on the basis of User role.
I have search a lot on this topic but not able to find a proper solution.
I have implemented Acegi security in Struts1.2 applications but didn't find a proper solution to implement security in Struts2.3.
Any pointers on this would be really helpful.
Thanks
Upvotes: 1
Views: 5638
Answers (2)
Reputation: 20323
Acegi Security is now called as Spring Security from 2007.
All your questions are answered here.
The document runs multiple pages, so I will give you quick pointers about topics that you need to check
User Authentication: Using other Authentication Providers
Session Management: Session Management
Authorization: Access-Control (Authorization) in Spring Security
Upvotes: 2
Reputation: 5624
Authentication : LDAP Integration with Application server is the way to go
download openDJ, set users and a single group, assign user to the group
using glassfish as a example, set glassfish LDAP realm, let the realm point to the ldap server
config the glassfish.xml and web.xml. specify the directory based restriction according to your ldap group, thus different ldap user can access different area of your web app
create a secure folder, put all web pages in those folder expect the login page.
the point is once a use login through keyword j_security_check, glassfish auth the ldap allow you to access stuff in the secure folder
drawback is ldap doesn't have permission concepts
User Permission :
for well defined permission access. you have to implement on you own
a permission table holds all the permission activities
a user table you must have already
a role table define all the roles
role to user many to many relationship
role to permission many to many relationship
user <--> role <-> permission
whenever you want perform a action for a user, get the current username
from session, then get a list of role this user has
then get the permissions user role has
then check against the action, see if you are allowed to do it.
this is just one way to do it. I would wish LDAP gives you ability
to define permissions , apparently it doesn't
Upvotes: 0
Related Questions
- How to authorize users on JSP and REST services using request.isUserInRole() in Struts 2?
- Role based authorizations to actions in Java/Struts
- Dynamic Roles in struts 2
- Authentication in struts2
- Struts 2 session management and dynamically displaying jsps
- Role-based authentication does not work
- Struts2 Authorization
- Enabling role based security in Websphere7
- Struts2 Login Management and Authorization
- limiting who can login by role with j2ee form based authentication