he Struts Web application framework facilitates building robust Web applications. Java Authentication and Authorization Services (JAAS) is a rich API for adding pluggable security modules to applications. These powerful services work well together, however, their combination can also add some complexity to maintenance and enhancement tasks. Maintaining synchronization between an application's Struts configuration file(s) mappings and the JAAS security framework policy file can be a challenge.
As the size and complexity of your site increases and the number of people contributing expands, it is possible (even probable) that the site's configuration files will get out of synch. One common scenario is that a developer might add a page to the policy file in his test environment and then inadvertently fail to commit the updated file to source control. Alternatively, perhaps a colleague's merge overwrites your updates to the policy file that support a new page. Inserting an automated utility into your build process to alert you when configuration files aren't in synch is far better than your help desk getting calls from frustrated users who can't access pages that were formerly available to them.
For example, here are two snippets from a Jaas.policy file and a struts_config
Jaas.policy file snippet
Struts-config.xml file snippet
<!-- Action Mapping Declarations -->
< action path="/login"
It's easy enough to look at the few lines cut from the two configuration files above to determine whether they match, but what if you have multiple configuration files and hundreds of pages or more in your site? In such a situation, checking the files manually would be unrealistic. Certainly, if you have automated testing tools you might catch some synchronization issues in QA testing, but it's far less trouble to correct problems during the development build or developer unit testing cycle.
Fortunately, the Struts configuration files are XML and the JAAS policy file is a structured text file, therefore, they can be parsed and processed in an automated fashion. This article describes an audit utility that iterates over the XML configuration files in a given directory, parses the <path>
element and then verifies that the path element data (the page file name) appears in the JAAS policy file. This article walks you through the Python code for the utility so you'll be able to customize it for your environment. The article doesn't discuss how to use Struts or JAAS; if you're not familiar with these technologies you should explore the resource links listed in the left column of this article.
Having the source code
in front of you will make it easier to understand what is going on. Please review the sidebar Network Connection Required
to avoid frustration running the code. I've included sample struts-config.xml
files in the download for your convenience.
To work through the code, you'll need Python 2.3 or later (available for free from http://www.python.org
) and a working understanding of the Python programming language.
It would be helpful if you're familiar with Struts and the Java Authorization and Authentication Services (JAAS) that is part of the JDK 1.4 and later and available as a separate download for JDK 1.3; however, you can follow along and learn something from the text processing and parsing techniques presented even if you have no Struts or JAAS experience. I've assumed that readers have some understanding of XML parsing using SAX, and some familiarity with object-oriented development and regular expressions.