Reputation: 1059
Struts2 Authorization
I am about to graduate from university with a web application that needs be implemented at school, everything is working perfect and this needs to be ready before november but I'm having a real trouble taking care of the security. The application must be able to have different users with one or more different roles, ( user1: roles: student; user 2: admin, user 3: professor, boss ).
When a user logs in it should be redirected to a different view depending on the roles it has and then if he tries to access to resources not allowed for his role, an error page should be shown.
This is what I've tried so far:
Method 1:
Authentication Method: Specified in web.xml as
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
</form-login-config>
</login-config>
Then using the names j_username and j_password along with j_security_check on a custom jsp.
Authorization Method: Used Container Security (Tomcat) via DataSourceRealm, wich allow us to connect to a database and get the user and the roles associated with him from 2 Tables that need to be mapped in the server.xml:
<Resource auth="Container" driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver" maxActive="100" maxIdle="30" maxWait="1000" name="jdbc/sstt" password="pass" type="javax.sql.DataSource" url="jdbc:sqlserver://localhost;databaseName=BDTT" username="sa"/>
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Students Only</web-resource-name>
<url-pattern>/student/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>student</role-name>
</auth-constraint>
</security-constraint>
// Same mapping for professor, admin, and boss (/professor/* maps to professor role)
Results: Whenever I tried to access a restricted area, for example, /members/ (configured in the web.xml inside a security constraint) it would work just perfect, so authorization goal was achieved.
The problem: When I submit the login form it fires the j_security_check so I'm not able to fire a Struts2 Action that could help me to redirect depending on the user roles this is the main problem. Everything was perfect but I can't find a way to redirect after logging in with the Container security.
Method 2:
Authentication Method: A LoginAction class that queries the database and checks if the password is correct. It also checks on the user roles and here we should be able to return a String like "admin", or "student" and redirect to the appropriate index.jsp resource, but that would work only if users were allowed to have only one role, but they can have many, so how should the view be constructed depending on the total user roles? What String would we return?
Authorization Method: I wrote a custom Interceptor wich retrieves the User object from the session (this User object should be in the session only if the user authenticated successfully) and then perform the authorization logic here.
The problem: Unable to find a way to construct a view depending on several roles, and the problem about the Interceptor is that it only protects my actions, so the authorization goal was achieved but only on actions, that means I could write /students/ and the URL would change to /students/index.jsp without even trying to authorize.
Other plans
I was thinking that maybe I could use filters to achieve the authorization ( that way I could protect both the dynamic and static resources ) but I don't know if that would be a good practice since we have configured the Struts2 filter which maps to /*
I was also looking that I could use JAAS or Spring Security but I don't know if I could achieve this, authenticate, redirect based on roles and authorizate. I wouldn't want to spend more several hours to find out that I can't do what I need, and I have just a very short time to finish this.
Other questions
Is it really a good practice to put jsp under WEB-INF? if so I should rewrite all the access to my jsp's in the struts.xml to WEB-INF/jsp/students/index.jsp? ( for example ). Or should I stick to a security constraint defined in web.xml to avoid direct access to the /jsp/* url pattern?
Thank You very much in advance for all your time and help.
Upvotes: 2
Views: 4401
Answers (1)
Reputation: 24396
For problem in method 1: You can write Struts2 interceptor to achieve what you want.
For Spring Security examples see my answer to this question https://stackoverflow.com/questions/12615354/how-to-implement-role-based-login/12629731#12629731
And YES it is a good practice to put jsp under WEB-INF folder. See Why put JSP in WEB-INF?
Upvotes: 2
Related Questions
- Role based authorizations to actions in Java/Struts
- Spring Security with roles and permissions
- How to apply Spring Security on Struts 2
- How to access role in JSP using spring security?
- Spring security user role and access jsp
- web.xml security constraint combination of roles
- Role-based authentication does not work
- How to implement Role Based Access Control with Authentication and Session Management in Struts2?
- Spring security roles
- Spring security and Struts 2