Comments on: Struts, JAAS, Tomcat: getting acquainted (part 2) Friends of Oracle and Java Mon, 27 Apr 2015 11:47:05 +0000 hourly 1 By: Narasimha Thu, 16 Nov 2006 17:37:51 +0000 /?p=261#comment-1147 Hi,
I am also facing the same problem while reading the

It is working fine in Windows Environment,But it is not working on Linux Environment.Please help me out from this.

Thanks in Advance,

By: diabolo512 Thu, 21 Jul 2005 08:17:20 +0000 /?p=261#comment-1146 hi all,
the jGuard project ( has published a new release(0.65).
some of the new features in this release:
– dynamically manage roles and permissions through a webapp
– configuration is easier
– logging system has been added
– new database implementations has been added (DB2, MS SQL Server)

jGuard provides an easy JAAS integration in j2ee environment.

Charles(jGuard team).

By: john Thu, 31 Mar 2005 16:53:59 +0000 /?p=261#comment-1145 For Zeger, please see above my reply in 19 regarding the article I found for per-field permission.

By: Zeger Hendrikse Thu, 24 Mar 2005 16:04:51 +0000 /?p=261#comment-1144 Sorry to all, but due to a mistake in my e-mail address in my profile, I wasn’t kept up to date on the comments of my own post. Quite a lot now, I must say :-)

As far as JGuard is concerned, if I would start another project, I would definitely take the effort to use it. At that time, I was motivated to learn JAAS, but now that I’m acquainted on a baisc level, it is indeed better to use an existing solution (like JGuard), than to reinvent the wheel.

To John, comment 21: As you may have concluded, this was a study project for me, so I was relatively new on the subject. Consequently, I’m afraid I wouldn’t know the answer to your question on per-field permissions.

By: john Thu, 24 Mar 2005 15:10:29 +0000 /?p=261#comment-1143 Thanks for your tips. But Hibernate has a reputation of slower performance that blcks us away. For instance level security seems to me it still in record row level, which means users may do either modifying or viewing on all fields of the whole row record. What I looked is for whole record row, every one can view its fields, but some user can edit some fields(not all fields) within that record row, admin user can edit all fields. Am I right?

By: Thijs Thu, 17 Mar 2005 00:29:38 +0000 /?p=261#comment-1142 Comment from Thijs: Security: Declarative permissions using JAAS and Interceptors might also be usefull,
They describe an approach for declarative security using objectids in a database.

id | permission | action | classname | principal | oid
1 | HibernateClassPermission | * | * | bob |
2 | HibernateObjectPermission | load | User | alice | 47

Thanks for your link, might also come in handy.
I currently use a security filter plus ideas from the instance-level security article, but adapted to a database and with nested groups.

By: john Mon, 14 Mar 2005 21:16:01 +0000 /?p=261#comment-1141 I got a good one in “web app security using Structs,servlet filters, and custom taglibs”(02 Sep 2004 Swaminathan Radhakrishnan) which introduced page accessing level security and attribute-level security which are exactly what I am looking for.

This is the only one I found to have talked about the attribute/field level security sofar. Most of the articles are talking page accessing level even like the first link “Instance-level”, because many authors did not create the enterprise application with field/attribute level security. But the above one I just found looks very good
which I mean he kept application performance in mind.

By: Thijs Wed, 09 Mar 2005 01:19:09 +0000 /?p=261#comment-1140 I found some other good links, especially the first one looks promising. Still need to read that myself though. – Instance-level access control for business-to-business electronic commerce – Topic: Java Security

By: john Mon, 07 Mar 2005 17:27:39 +0000 /?p=261#comment-1139 Thanks a lot, Thijs. I will study it and if get some insight, I will report back here.

By: Thijs Mon, 07 Mar 2005 11:17:39 +0000 /?p=261#comment-1138 Hi john, I am very new to Java Security, so I don’t know how to solve it directly either. You could take a look at this website though:
“Extend JAAS for class instance-level authorization”

If you have any new insights, please let us know here.

By: john Fri, 04 Mar 2005 21:06:25 +0000 /?p=261#comment-1137 All these authorization is related to URL accessing. But I have a question of authorization that user access and view url of some page containing serveral fields in a record row, but the security was configurably set up to allow that user to update few fields, not all fields on that record row. E.G., for employee record row:
employeeFirstName EmployeeLatName, EmployeePhoneNumber, EmploeeSalary, EmployeeDepartmentNo

The regular user can only edit his first/last names, phone number, but cannot edit salary, deptno. The admin user can edit all the fields. Also, the fields which allow the regular users to edit are configurable on a form by the admin user. So how to design these kind of security. Our current web application was designed by Oracle forms/reports 6i, every thing works fine, but we decided to overhaul it into J2EE +Struts web application. Any guru shed some light please. Thanks

By: Mike Luff Mon, 21 Feb 2005 12:10:04 +0000 /?p=261#comment-1136 Hi Karthic – I am having the same problem ( access denied).
I made the changes you had suggested, but I am still getting this error.
I know my policy file is being read. I am using oc4j (Oracle App Srv 9.0.4) to server up the
app, is there anything that needs to be configured differently? If you have any ideas please send them along.Mike
needs to be setup differently with

By: Karthic Keyan Thu, 10 Feb 2005 09:34:31 +0000 /?p=261#comment-1135 Hi Mei,
I had the same problem, and i solved it following these point:

1) Dan moore has instructions( readme) written pertaining to UNIX/LINUX environment and when i configured it for Windows i got this problem requires some change

2) place the com dir inside web-inf/classes {instead of copying it under WEB-INF as mentioned in readme}

3) replace the LogonAction.class inside classes\org\apache\struts\webapp\example with the one by Dan… ( don’t copy the complete dir structure)

4) in tagish.login change

com.tagish.auth.FileLogin required debug=true pwdFile=”/usr/local/java/jre/lib/security/passwd” {this is for linux)

to windows path Ex :

com.tagish.auth.FileLogin required debug=true pwdFile=”C:/j2sdk1.4.2_01/jre/lib/security/passwd”

that’s it and this works cool case u need any help [ ]

reg Karthic

By: mei Fri, 07 Jan 2005 16:12:31 +0000 /?p=261#comment-1134 Hi Zeger,
Don’t know if you are still watch this post. When I excecute my code
if ( ! AuthorizationUtils.permitted(subject, permission) )

I called method AuthorizationUtils.permitted(subject, permission),
in this method, but I always get the exception in code “sm.checkpermission(p);” Always deny the access.

I have specified my policy file in file correctly, and I know the policy file has been reached,
but don’t is there any possible reason cause this problem.

Could you send me an email at



By: Zeger Hendrikse Mon, 06 Dec 2004 15:43:26 +0000 /?p=261#comment-1133 Dear Mei,

Recently I had the same problem as you mentioned: it was just a case of not having included the in my WAR file (in the WEB-INF/classes dir) …