Comments on: Struts, JAAS, Tomcat: getting acquainted (part 2) https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/ Friends of Oracle and Java Mon, 27 Apr 2015 11:47:05 +0000 hourly 1 http://wordpress.org/?v=4.2.1 By: Narasimha https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1147 Thu, 16 Nov 2006 17:37:51 +0000 /?p=261#comment-1147 Hi,
I am also facing the same problem while reading the ApplicationResources.properties.

It is working fine in Windows Environment,But it is not working on Linux Environment.Please help me out from this.

Thanks in Advance,
Narasimha

]]>
By: diabolo512 https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1146 Thu, 21 Jul 2005 08:17:20 +0000 /?p=261#comment-1146 hi all,
the jGuard project (http://jguard.sourceforge.net) has published a new release(0.65).
some of the new features in this release:
– dynamically manage roles and permissions through a webapp
– configuration is easier
– logging system has been added
– new database implementations has been added (DB2, MS SQL Server)

jGuard provides an easy JAAS integration in j2ee environment.
enjoy!

Charles(jGuard team).

]]>
By: john https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1145 Thu, 31 Mar 2005 16:53:59 +0000 /?p=261#comment-1145 For Zeger, please see above my reply in 19 regarding the article I found for per-field permission.

]]>
By: Zeger Hendrikse https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1144 Thu, 24 Mar 2005 16:04:51 +0000 /?p=261#comment-1144 Sorry to all, but due to a mistake in my e-mail address in my profile, I wasn’t kept up to date on the comments of my own post. Quite a lot now, I must say :-)

As far as JGuard is concerned, if I would start another project, I would definitely take the effort to use it. At that time, I was motivated to learn JAAS, but now that I’m acquainted on a baisc level, it is indeed better to use an existing solution (like JGuard), than to reinvent the wheel.

To John, comment 21: As you may have concluded, this was a study project for me, so I was relatively new on the subject. Consequently, I’m afraid I wouldn’t know the answer to your question on per-field permissions.

]]>
By: john https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1143 Thu, 24 Mar 2005 15:10:29 +0000 /?p=261#comment-1143 Thanks for your tips. But Hibernate has a reputation of slower performance that blcks us away. For instance level security seems to me it still in record row level, which means users may do either modifying or viewing on all fields of the whole row record. What I looked is for whole record row, every one can view its fields, but some user can edit some fields(not all fields) within that record row, admin user can edit all fields. Am I right?

]]>
By: Thijs https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1142 Thu, 17 Mar 2005 00:29:38 +0000 /?p=261#comment-1142 Comment from Thijs: Security: Declarative permissions using JAAS and Interceptors http://www.hibernate.org/140.html might also be usefull,
They describe an approach for declarative security using objectids in a database.

id | permission | action | classname | principal | oid
----+---------------------------+--------+-----------+-----------+-----
1 | HibernateClassPermission | * | * | bob |
2 | HibernateObjectPermission | load | User | alice | 47

Thanks for your link, might also come in handy.
I currently use a security filter plus ideas from the instance-level security article, but adapted to a database and with nested groups.

]]>
By: john https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1141 Mon, 14 Mar 2005 21:16:01 +0000 /?p=261#comment-1141 I got a good one in http://www-106.ibm.com/developerworks/library/wa-appsec “web app security using Structs,servlet filters, and custom taglibs”(02 Sep 2004 Swaminathan Radhakrishnan) which introduced page accessing level security and attribute-level security which are exactly what I am looking for.

This is the only one I found to have talked about the attribute/field level security sofar. Most of the articles are talking page accessing level even like the first link “Instance-level”, because many authors did not create the enterprise application with field/attribute level security. But the above one I just found looks very good
which I mean he kept application performance in mind.

]]>
By: Thijs https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1140 Wed, 09 Mar 2005 01:19:09 +0000 /?p=261#comment-1140 I found some other good links, especially the first one looks promising. Still need to read that myself though.
http://www.research.ibm.com/journal/sj/412/goodwin.html – Instance-level access control for business-to-business electronic commerce
http://www.onjava.com/topics/java/Java_Security – Topic: Java Security

]]>
By: john https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1139 Mon, 07 Mar 2005 17:27:39 +0000 /?p=261#comment-1139 Thanks a lot, Thijs. I will study it and if get some insight, I will report back here.

]]>
By: Thijs https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1138 Mon, 07 Mar 2005 11:17:39 +0000 /?p=261#comment-1138 Hi john, I am very new to Java Security, so I don’t know how to solve it directly either. You could take a look at this website though:
http://www-128.ibm.com/developerworks/java/library/j-jaas/
“Extend JAAS for class instance-level authorization”

If you have any new insights, please let us know here.

]]>
By: john https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1137 Fri, 04 Mar 2005 21:06:25 +0000 /?p=261#comment-1137 All these authorization is related to URL accessing. But I have a question of authorization that user access and view url of some page containing serveral fields in a record row, but the security was configurably set up to allow that user to update few fields, not all fields on that record row. E.G., for employee record row:
employeeFirstName EmployeeLatName, EmployeePhoneNumber, EmploeeSalary, EmployeeDepartmentNo

The regular user can only edit his first/last names, phone number, but cannot edit salary, deptno. The admin user can edit all the fields. Also, the fields which allow the regular users to edit are configurable on a form by the admin user. So how to design these kind of security. Our current web application was designed by Oracle forms/reports 6i, every thing works fine, but we decided to overhaul it into J2EE +Struts web application. Any guru shed some light please. Thanks

]]>
By: Mike Luff https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1136 Mon, 21 Feb 2005 12:10:04 +0000 /?p=261#comment-1136 Hi Karthic – I am having the same problem (java.security.AccessControlException: access denied).
I made the changes you had suggested, but I am still getting this error.
I know my policy file is being read. I am using oc4j (Oracle App Srv 9.0.4) to server up the
app, is there anything that needs to be configured differently? If you have any ideas please send them along.Mike
needs to be setup differently with

]]>
By: Karthic Keyan https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1135 Thu, 10 Feb 2005 09:34:31 +0000 /?p=261#comment-1135 Hi Mei,
I had the same problem, and i solved it following these point:

1) Dan moore has instructions( readme) written pertaining to UNIX/LINUX environment and when i configured it for Windows i got this problem ..it requires some change

2) place the com dir inside web-inf/classes {instead of copying it under WEB-INF as mentioned in readme}

3) replace the LogonAction.class inside classes\org\apache\struts\webapp\example with the one by Dan… ( don’t copy the complete dir structure)

4) in tagish.login change

com.tagish.auth.FileLogin required debug=true pwdFile=”/usr/local/java/jre/lib/security/passwd” {this is for linux)

to windows path Ex :

com.tagish.auth.FileLogin required debug=true pwdFile=”C:/j2sdk1.4.2_01/jre/lib/security/passwd”

that’s it and this works cool ..in case u need any help [ keyan_z@yahoo.com ]

reg Karthic

]]>
By: mei https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1134 Fri, 07 Jan 2005 16:12:31 +0000 /?p=261#comment-1134 Hi Zeger,
Don’t know if you are still watch this post. When I excecute my code
if ( ! AuthorizationUtils.permitted(subject, permission) )
{
…..
}
else
{
….
}

I called method AuthorizationUtils.permitted(subject, permission),
in this method, but I always get the exception in code “sm.checkpermission(p);” Always deny the access.

I have specified my policy file in java.security file correctly, and I know the policy file has been reached,
but don’t is there any possible reason cause this problem.

Could you send me an email at yyq99@yahoo.com

Thanks!

Mei

]]>
By: Zeger Hendrikse https://technology.amis.nl/2004/11/19/struts-jaas-tomcat-getting-acquainted-part-2/#comment-1133 Mon, 06 Dec 2004 15:43:26 +0000 /?p=261#comment-1133 Dear Mei,

Recently I had the same problem as you mentioned: it was just a case of not having included the ApplicationResources.properties in my WAR file (in the WEB-INF/classes dir) …

]]>