Control de acceso en Struts

(1)

Departamento de Departamento de

Lenguajes y Sistemas Informáticos Lenguajes y Sistemas Informáticos

escuela técnica superior de ingeniería informática V e rs ió n o ri g in a l: A u to r (m e s 2 0 0 ? ) Ú lt im a r e v is ió n : A u to r (m e s 2 0 0 ? ); d e s c ri p c ió n c a m b io s .

Control de acceso en

Struts

Grupo de Ingeniería del Software

Febrero 2007

(2)

Escuela Técnica Superior de Ingeniería Informática Departamento de Lenguajes y Sistemas Informáticos 1. 1. IntroducciónIntroducción 2.

2. Control de AccesoControl de Acceso

2.1 DTO 2.1 DTO 2.2 2.2 LoginAction.javaLoginAction.java 2.3 2.3 processPreprocess processPreprocess 3.

3. Control de permisosControl de permisos

3.1 3.1 processRoleslprocessRolesl 3.2 3.2 MenuMenu [Á n g e l U S V 7 ] D is e ñ o : A m a d o r D u rá n T o

ro

•

• Dos problemas fundamentales

Dos problemas fundamentales

– Control de acceso a la aplicación (log on) – Control de permisos de los usuarios

•

• La clase RequestProcessor

La clase

RequestProcessor

– processRoles – processPreprocess <controller processorClass="com.garage.struts.action.SecurityRequest Processor" /> < <controllercontroller processorClass

processorClass="="com.garage.struts.action.SecurityRequestcom.garage.struts.action.SecurityRequest Processor

(3)

ro

•

• El problema del acceso (logon

El problema del acceso (

logon)

)

– Página con etiquetas de struts – Procesamiento por Actions

<html:form action="/logon.do">

usuario : <html:text property="usuario"/>

password : <html:password property="password"/> <html:submit/><html:cancel/>

</html:form>

<

<html:formhtml:form actionaction="/="/logon.dologon.do">"> usuario : <

usuario : <html:texthtml:text propertyproperty="usuario"/>="usuario"/> password

password : <: <html:passwordhtml:password propertyproperty="="passwordpassword"/>"/> <

<html:submithtml:submit/></><html:cancelhtml:cancel/>/> </

(4)

ro

•

• DTO (Data Transfer

DTO (Data

Transfer

Object)

Object

)

public class UserDTO {

private String login;

private String password; private Roles rol;

private Long id;

public String getLogin() {return login;}

public void setLogin(String login) {this.login = login;} public String getPassword() {return password;}

public void setPassword(String password) {

this.password = password;} public Roles getRol() {return rol;}

public void setRol(Roles rol) {this.rol = rol;} public Long getId() {return id;}

public void setId(Long id) {this.id = id;} }

public

public classclass UserDTOUserDTO {

{

private

private StringString loginlogin;; private

private StringString passwordpassword;; private

private Roles rol;Roles rol; private

private Long Long idid;; public

public StringString getLogingetLogin() {() {returnreturn loginlogin;};} public

public voidvoid setLogin(StringsetLogin(String loginlogin) {) {thisthis.login.login = = loginlogin;};} public

public StringString getPasswordgetPassword() {() {returnreturn passwordpassword;};} public

public voidvoid setPassword(StringsetPassword(String passwordpassword) {) { this

this.password.password = = passwordpassword;};} public

public RolesRoles getRolgetRol() {() {returnreturn rol;}rol;} public

public voidvoid setRol(RolessetRol(Roles rol) {rol) {thisthis.rol.rol = rol;}= rol;} public

public LongLong getIdgetId() {() {returnreturn id;}id;} public

public voidvoid setId(LongsetId(Long id) {id) {thisthis.id.id = id;}= id;} }

(5)

3.1 3.1 processRoleslprocessRolesl 3.2 3.2 MenuMenu [Á n g e l U S V 7 ] D is e ñ o : A m a d o r D u rá n T o ro

•

• LoginAction.java

LoginAction.java

public ActionForward execute(…) {

DynaActionForm loginForm = (DynaActionForm) form; String nom = (String)loginForm.get("usuario");

String passwd = (String)loginForm.get("password"); IAuthentication auth = new SecureAuthenticate(); UserDTO us = auth.authenticate(nom,passwd); HttpSession session = request.getSession(false); if(session !=null) { session.invalidate(); } session = request.getSession(true); session.setAttribute("usuario",us); if(us==null) return mapping.findForward("mal"); else return mapping.findForward("bien"); } public

public ActionForwardActionForward executeexecute(…) {(…) { DynaActionForm

DynaActionForm loginFormloginForm = (= (DynaActionFormDynaActionForm) ) formform;; String

String nomnom = (= (String)loginForm.getString)loginForm.get("usuario");("usuario"); String

String passwdpasswd = (= (String)loginForm.getString)loginForm.get("("passwordpassword");"); IAuthentication

IAuthentication authauth = = newnew SecureAuthenticateSecureAuthenticate();(); UserDTO

UserDTO usus = = auth.authenticate(nom,passwdauth.authenticate(nom,passwd);); HttpSession

HttpSession sessionsession = = request.getSession(request.getSession(falsefalse);); if

if(session(session !=!=nullnull)) { { session.invalidate session.invalidate();(); } } session

session = = request.getSession(request.getSession(truetrue);); session.setAttribute

session.setAttribute("usuario",("usuario",usus);); if

if(us(us====nullnull)) return

return mapping.findForwardmapping.findForward("mal");("mal"); else

else

return

return mapping.findForwardmapping.findForward("bien");("bien"); }

(6)

ro

•

• Acceso a páginas sin estar “logado”

Acceso a páginas sin estar “logado”

– Navegación a través de *.do y forwarding protected ActionForward processPreprocess(…){

HttpSession ses = request.getSession(); if(ses.getAttribute("usuario")!=null)

return true; try {

requestPath = processPath(request,response); }catch( IOException e ) { return true;}

if(requestPath.equals(“login”)) return true;

ses.setAttribute( "originalRequest", requestPath ); try { loginActionMapping = processMapping(request, response,”login”); forwardPath = loginActionMapping.getInputForward().getPath(); doForward(forwardPath,request,response); return false;

}catch( Exception e ) {return true;}

protected

protected ActionForwardActionForward processPreprocessprocessPreprocess(…){(…){ HttpSession

HttpSession sesses = = request.getSessionrequest.getSession();(); if(ses.getAttribute

if(ses.getAttribute("usuario")!=("usuario")!=nullnull)) return

return truetrue;; try

try {{

requestPath

requestPath = = processPath(request,responseprocessPath(request,response);); }

}catchcatch( ( IOExceptionIOException e ) { e ) { returnreturn truetrue;};} if(requestPath.equals

if(requestPath.equals(“(“loginlogin”))”)) return

return truetrue;; ses.setAttribute

ses.setAttribute( "( "originalRequestoriginalRequest", ", requestPathrequestPath );); try

try {{

loginActionMapping

loginActionMapping = = processMapping(requestprocessMapping(request, , response,”

response,”loginlogin”);”); forwardPath

forwardPath = =

loginActionMapping.getInputForward

loginActionMapping.getInputForward().().getPathgetPath();(); doForward(forwardPath,request,response

doForward(forwardPath,request,response);); return

return falsefalse;; }

(7)

ro

•

• Problema de los Roles (permisos)

Problema de los Roles (permisos)

– Struts sistema matricial de acceso a Actions <action input="/login.jsp“ validate=“true” name="loginForm" path="/login" scope="request“ roles=“admin,usuario” type="com.ejemplo.struts.action.LoginAction"> <forward name="incorrecto" path="/Mal.jsp" /> <forward name="correcto" path="/Bien.jsp" /> </action>

<

<actionaction input

input="/="/login.jsplogin.jsp““ validate

validate=“=“truetrue”” name

name="="loginFormloginForm"" path

path="/="/loginlogin"" scope

scope="="requestrequest““ roles=“

roles=“admin,usuarioadmin,usuario”” type

type="="com.ejemplo.struts.action.LoginActioncom.ejemplo.struts.action.LoginAction">"> <

<forwardforward namename="incorrecto" ="incorrecto" pathpath="/="/Mal.jspMal.jsp" />" /> <

<forwardforward namename="correcto" ="correcto" pathpath="/="/Bien.jspBien.jsp" />" /> </

(8)

ro protected boolean processRoles(…)

throws IOException,ServletException {

String roles[] = mapping.getRoleNames(); if ((roles == null) || (roles.length < 1))

return true;

HttpSession ses = request.getSession();

UserDTO u = (UserDTO)ses.getAttribute("usuario"); if (u == null)

return false;

for (int i = 0; i < roles.length; i++) { if (u.getRol().toString().equals(roles[i])) return true; } response.sendError(HttpServletResponse.SC_BAD_REQUE ST, getInternal().getMessage("notAuthorized",mapping.getPat h())); return false; } protected

protected booleanboolean processRolesprocessRoles(…)(…) throws

throws IOException,ServletExceptionIOException,ServletException {

{

String

String roles[] = roles[] = mapping.getRoleNamesmapping.getRoleNames();(); if

if ((roles == ((roles == nullnull) || () || (roles.lengthroles.length < 1)) < 1)) return

return truetrue;; HttpSession

HttpSession sesses = = request.getSessionrequest.getSession();(); UserDTO

UserDTO u = (u = (UserDTO)ses.getAttributeUserDTO)ses.getAttribute("usuario");("usuario"); if

if (u == (u == nullnull) ) return

return falsefalse;; for

for ((intint i = 0; i < i = 0; i < roles.lengthroles.length; i++) ; i++) {

{

if

if ((u.getRolu.getRol().().toStringtoString().().equals(roles[iequals(roles[i])) ])) return

return truetrue;; }

}

response.sendError(HttpServletResponse.

response.sendError(HttpServletResponse.SC_BAD_REQUESC_BAD_REQUE ST

ST, ,

getInternal

getInternal().().getMessagegetMessage("("notAuthorizednotAuthorized",",mapping.getPatmapping.getPat h

h()));())); return

return falsefalse;; }

(9)

•

• Bibliografía

Bibliografía

–

– ProgrammingProgramming JakartaJakarta StrutsStruts O’reilly

O’reilly

–

– StrutsStruts in in ActionAction Manning

Manning

–

– StrutsStruts RecipesRecipes Manning