Javaee trainer

Security is one of the most critical features in web application development. However, as I said before, Struts2 is the C (controller) in the MVC (model - view - controller) framework. As such, Struts2 has not its own security model. Struts2 is build on the top of the Java Servlet API and the HTTP protocol. Then, the security configuration is the same described for the Servlet API. Yet, other security models such as ACEGI can be implemented with Struts2, but this will be exposed in a future post.

In the next slides I will discuss about the two ways to secure application resources:

by configuring the application and
by writing Java code.

The first is the easier because you only need to edit your deployment descriptor (the web.xml file) to change your security policy without rewriting code. For instance, you can restrict access to certain roles and HTTP methods, determine how users can authenticate themselves, and so forth. Since Struts is based on the Servlet technology, securing a Struts application will center on this configuration plus the security feature in Struts itself.

Remember that to be good at security configuration, you need to be familiar with the concepts of principal and roles, therefore this chapter will start with a review of both. Then, the chapter explains how to write a security policy and deals with authentication methods.

After a section about how to hide resources and another on Struts-specific security features, these slides concludes with the second way of security Servlet applications: by writing code and by the use the Struts2 roles interceptor.

Struts2 course chatper 13: Securing Struts2 applications

Downloads (in Eclipse project)