Implement Secure Access Control Using filter programming in xforum

Use filter programming in J2EE/EJB Forum/xforum to implement Secure Access Control

CINC 2003.03.11, 15 replies, 1745 views

In J2EE, there are two security implementations: To implement security with declarations is to implement security restrictions in Web. xml. Implement Security with programming and write it by yourself Code In xforum, we didn't allow the container to manage security checks. We use our own programming implementation: After a user logs in, the user information is stored in the session. By checking the user information in the session, you can Check whether the user has successfully logged in. In versions earlier than xforum, this check process is performed in every protected page, for example: In viewmythreadaction: Final httpsession session = request. getsession (); // If the user is null which means the user has not loged in, // Forward it to logon screen If (userid = NULL | userid. Length () = 0 ){ Final string url = "/viewmythreads. Go "; Request. setattribute (forumconstants. dest_url, URL ); Return (mapping. findforward ("Logon ")); // Else display the user's threads } Else { ... If the user does not log on, store the current page in the session and go to the logon page for the user to log on. In the new xforum version, we use the filter technology for centralized ACL control: aclfilter First, store the page to be included in a acl-config.xml: <Protected-resource> <URI> post. go </uri> <DESC> post thread form </DESC> </protected-resource> <URI> viewmythreads. go </uri> <DESC> View my thread </DESC> </protected-resource> </ACL-config> on the web. XML, apply the filter to each Web Resource: <filter> <filter-Name> aclfilter </filter-Name> <filter-class> Org. redsoft. forum. filters. aclfilter </filter-class> </filter> <filter-mapping> <filter-Name> AC Lfilter </filter-Name> <URL-pattern>/* </url-pattern> </filter-mapping> check in the dofilter method of aclfilter: if the requested URI is protected resource and there is no user information in the session, go to the logon page. If you want to add a protection page in the future, you only need to add a protected-resource in the acl-config.xml, and can also protect the static page (.html page) the code in the dynamic page because of the less check user login code, it is also clear a lot.

Currently, it cannot be implemented. Currently, there are only two roles:
Guest user: cannot access protected resource
Login User: can access all resources

But on the basis of the existing acl-config.xml should be able to be modified, can define several role
For example, guest, user, manager, and then modify the acl-config.xml as follows:

<Protected-resource>
<URI> post. Go </uri>
<DESC> post thread form </DESC>
<Role> Manager, user </role>
</Protected-resource>

Implement complex ACL control

Using filter is a good method. Tomcat once used the Security interception component security interuptor.
(Org. Apache. tomcat. Request. securitycheck.

We can refer to this class to implement our own security filters (using JNDI or JDBC resources ).
The resource configuration information in Web. XML is read. This is very flexible.

You do not need to write the role name in Java When configuring web. xml. You do not need to modify the code when changing the role name. This
Is an original article in the servlet specification: <srv12.3>
For example, to map the security role reference "foo" to the security role
With role-name "manager" the syntax wocould be:
<Security-role-ref>
<Role-Name> Foo </role-Name>
<Role-link> Manager </Manager>
</Security-role-ref>
In this case if the servlet called by a user belonging to the "manager'
Securiyt role made the API call isuserinrole ("foo") wocould be true.

InProgramAs long as foo is specified, other roles can also be treated as synonyms using role-link.

Using application or container to manage security is a problem that needs to be considered during J2EE program design. The xforum filter is simplified by referring to signonfilter of Sun pet store. In the pet store documentation, there is a lot of space for signonfilter. If you are interested, please refer: All users in the pet store are logged in as the same system user, so they all Have the same system permissions, such as whether or not they can execute Certain method. Application permissions, such as who can create an order (Registered users only), are modelled and controlled at the application level. Casual users such as the shoppers in the pet store do not have to authenticate Their real-life identity in any way. In such cases, it's usually preferable To manage users in the application layer instead of at the system layer. Users With special permissions, such as system or application administrators, are Usually best represented by system users, using the J2EE login mechanisms Mentioned above. FTP: // 210.52.88.20./ pub/doc/Java/J2EE/PetStore/sample-app1.3.1.pdf

ResponseThis post