11.10. Mixing Application-Managed and Container-Managed Security
Problem
You want the convenience of container-managed security, yet need a custom mechanism for implementing your security policies.
Solution
Use the SecurityFilter (http://securityfilter.sourceforge.net) custom servlet filter and associated classes.
Discussion
Container-managed security, as shown in Recipe 11.9, has some advantages:
When users attempt to access a protected URL, the container automatically prompts them to logon. Once authenticated, they are forwarded to the originally requested URL.
The user identity can be determined using the
getUserPrincipal( )orgetRemoteUser( )methods of theHttpServletRequest. These methods can determine if a user is logged in.You can determine if a user has a specific role using the
isUserInRole(roleName)method of theHttpServletRequest. Struts leverages this feature to provide role-constrained actions via the roles attribute. Struts provides for role-specific page generation using thelogic:present role="roleNames" custom JSP tag.
Container-managed security has drawbacks, such as portability. With container-managed security, the implementation is split between your web application and the application server. You usually must configure container-specific resources to specify the repository, known as a security realm, from which the container acquires the user's credentials and roles. Container-managed security will only prompt users to login if they attempt access of a protected ...