Comments on: Struts, JAAS, Tomcat: getting acquainted (part 2) http://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/?utm_source=rss&utm_medium=rss&utm_campaign=struts-jaas-tomcat-getting-acquainted-part-2 Fri, 12 Apr 2013 10:04:09 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Narasimha http://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1147 Narasimha Thu, 16 Nov 2006 17:37:51 +0000 /?p=261#comment-1147 Hi,
I am also facing the same problem while reading the ApplicationResources.properties.

It is working fine in Windows Environment,But it is not working on Linux Environment.Please help me out from this.

Thanks in Advance,
Narasimha

]]> By: diabolo512 http://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1146 diabolo512 Thu, 21 Jul 2005 08:17:20 +0000 /?p=261#comment-1146 hi all,
the jGuard project (http://jguard.sourceforge.net) has published a new release(0.65).
some of the new features in this release:
- dynamically manage roles and permissions through a webapp
- configuration is easier
- logging system has been added
- new database implementations has been added (DB2, MS SQL Server)

jGuard provides an easy JAAS integration in j2ee environment.
enjoy!

Charles(jGuard team).

]]> By: john http://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1145 john Thu, 31 Mar 2005 16:53:59 +0000 /?p=261#comment-1145 For Zeger, please see above my reply in 19 regarding the article I found for per-field permission.

]]> By: Zeger Hendrikse http://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1144 Zeger Hendrikse Thu, 24 Mar 2005 16:04:51 +0000 /?p=261#comment-1144 Sorry to all, but due to a mistake in my e-mail address in my profile, I wasn’t kept up to date on the comments of my own post. Quite a lot now, I must say :-)

As far as JGuard is concerned, if I would start another project, I would definitely take the effort to use it. At that time, I was motivated to learn JAAS, but now that I’m acquainted on a baisc level, it is indeed better to use an existing solution (like JGuard), than to reinvent the wheel.

To John, comment 21: As you may have concluded, this was a study project for me, so I was relatively new on the subject. Consequently, I’m afraid I wouldn’t know the answer to your question on per-field permissions.

]]> By: john http://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1143 john Thu, 24 Mar 2005 15:10:29 +0000 /?p=261#comment-1143 Thanks for your tips. But Hibernate has a reputation of slower performance that blcks us away. For instance level security seems to me it still in record row level, which means users may do either modifying or viewing on all fields of the whole row record. What I looked is for whole record row, every one can view its fields, but some user can edit some fields(not all fields) within that record row, admin user can edit all fields. Am I right?

]]> By: Thijs http://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1142 Thijs Thu, 17 Mar 2005 00:29:38 +0000 /?p=261#comment-1142 Comment from Thijs: Security: Declarative permissions using JAAS and Interceptors http://www.hibernate.org/140.html might also be usefull,
They describe an approach for declarative security using objectids in a database.

id | permission | action | classname | principal | oid
----+---------------------------+--------+-----------+-----------+-----
1 | HibernateClassPermission | * | * | bob |
2 | HibernateObjectPermission | load | User | alice | 47

Thanks for your link, might also come in handy.
I currently use a security filter plus ideas from the instance-level security article, but adapted to a database and with nested groups.

]]> By: john http://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1141 john Mon, 14 Mar 2005 21:16:01 +0000 /?p=261#comment-1141 I got a good one in http://www-106.ibm.com/developerworks/library/wa-appsec “web app security using Structs,servlet filters, and custom taglibs”(02 Sep 2004 Swaminathan Radhakrishnan) which introduced page accessing level security and attribute-level security which are exactly what I am looking for.

This is the only one I found to have talked about the attribute/field level security sofar. Most of the articles are talking page accessing level even like the first link “Instance-level”, because many authors did not create the enterprise application with field/attribute level security. But the above one I just found looks very good
which I mean he kept application performance in mind.

]]> By: Thijs http://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1140 Thijs Wed, 09 Mar 2005 01:19:09 +0000 /?p=261#comment-1140 I found some other good links, especially the first one looks promising. Still need to read that myself though.
http://www.research.ibm.com/journal/sj/412/goodwin.html – Instance-level access control for business-to-business electronic commerce
http://www.onjava.com/topics/java/Java_Security – Topic: Java Security

]]> By: john http://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1139 john Mon, 07 Mar 2005 17:27:39 +0000 /?p=261#comment-1139 Thanks a lot, Thijs. I will study it and if get some insight, I will report back here.

]]> By: Thijs http://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1138 Thijs Mon, 07 Mar 2005 11:17:39 +0000 /?p=261#comment-1138 Hi john, I am very new to Java Security, so I don’t know how to solve it directly either. You could take a look at this website though:
http://www-128.ibm.com/developerworks/java/library/j-jaas/
“Extend JAAS for class instance-level authorization”

If you have any new insights, please let us know here.

]]>