Welcome to the jGuard's wiki » jGuard Documentation » securing DWR with jGuard

securing DWR with jGuard

Last modified by XWikiGuest on 2010/10/29 06:33

securing DWR with jGuard

jguard 1.0.0 support securization of webapps using * DWR 1.x* .

we plan to support also *DWR 2.x * hopefully in the 1.1.0 release.

install DWR in the webapp

in a classic way,to install DWR, you have to insert in your web.xml file, a DWR servlet :

dwr-invoker
DWR Servlet
uk.ltd.getahead.dwr.DWRServlet
debug
true
dwr-invoker
/dwr/*

but we will configure it in a more advanced way at the bottom of this document.

DWR.xml

DWR permits to access directly tobeans hosted on the server in the webapp. central configuration file is DWR.xml. for example, if you want to permit access to the bean net.sf.jguard.example.dwr.Dummy, you have to configure it in DWR.xml like this:

DWR1Permission : a dedicated Permission

jguard 1.0.0 ships a Permission dedicated to DWR 1.x. this permission has got a name and some paraemters, like any subclass of java.security.BasicPermisison:

  • name
used to put on the permission functional meaning

  • parameters
    • first parameter: class of the Creator used to instantiate the related protected beans
example: uk.ltd.getahead.dwr.create.NewCreator

    • second parameter: the class of the bean to protect
example: net.sf.jguard.example.dwr.Dummy

    • third parameter : the method to protect
example: getHello

you can use it either in database or in jGuardPrincipaslPermissions.xml file.

.......
dummy
net.sf.jguard.jee.extras.dwr1.DWR1Permission
uk.ltd.getahead.dwr.create.NewCreator
net.sf.jguard.example.dwr.Dummy
getHello
.......

DWR1AccessControl

now, we need to link access to Dummy bean via DWR with jGuard. to do that, you have to insert one more parameter of the DWR servlet configured previously like this:

dwr-invoker
DWR Servlet
uk.ltd.getahead.dwr.DWRServlet
debug
true
uk.ltd.getahead.dwr.AccessControl
net.sf.jguard.jee.extras.dwr1.DWR1AccessControl
dwr-invoker
/dwr/*

what's about jGuard and DWR interactions?

you have to notice that jGuard is linked with the DWR1AccessControl. it is used to delegate to jGuard authorization check before the user access via a javascript instruction to the java Bean declared in the DWR.xml file.

but you have to configure jGuard to authenticate the user. to do that, accessFilter has to be used. so, AccessFilter and its mapped URIs(like all struts actions *.do) will be used for Authentication, and authorization checks with your traditional web framework(for example Struts).

DWR will be used for ajax interactions, and will delegate authorization check to jGuard.

so,in an application hosting Struts and DWR, authentication will be done in a URI ending by .do, and authorization checks will be done in uri ending by .do and containing the DWR pattern (see servlet mappings configured above).

Tags:
Created by diabolo512 on 2007/01/02 17:52

jGuard team copyright 2004-2009
3.1.1