struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Authentication and Authoirzation
Date Wed, 04 Oct 2000 22:32:18 GMT
Colin Sampaleanu wrote:

> >
> > That is true, but it's also a problem whether or not you are
> > using declarative
> > security, right?
> Absolutely, but my whole point was that the only way to use declarative
> security (in a standard fashion) is to come in via different paths (not
> extension mapping), and this breaks JSP relative links, so you have to pick
> one or the other. Since I need to be able to use relative links in the JSPs,
> this basically killed declarative security, using the standard Servlet 2.2+
> mechanism. Luckilly I figured out the other way to do 'declarative
> security', as per my original message.

Ah, I see what you are getting at now.  Since what you've got works I would
suggest not changing it, but here is a way to use declarative security with
extension mapping in a convenient way.

The key insight is that extension mapping works on the last "component" of a
request URI.  So, if you map your action servlet to the "*.do" extension in the
usual way, ALL of the following URLs map to it:


so, if you organize your action mappings by sharing a common prefix around the
things you want to protect with the same security constraint, you can have the
same convenience that you do with path-based mapping.  For example, lets say you
have a set of administrative actions that are part of your Struts app.  If you
create action mappings for paths like this:


then you can have a security constraint on pattern "/admin/*" and protect them
all with one constraint, even though you are using extension mapping to map to
the controller servlet (i.e. the first option above would be requested at

A different approach is that you would also have the choice of protecting each
individual action mapping path ("/") with its own security
constraint.  This is not very practical if you have a large application, but
might work fine if you have only a few.

> [snip]

> > * Use the (fairly new) <struts:base/> tag somewhere in the
> > <head> section
> >   of your JSP page.  This generates something like this:
> >
> >     <base href="{URL-of-the-JSP-page}">
> >
> >   so that relative references work no matter what URL was used to call
> >   the action (i.e. the URL that is still showing in the
> > browser window).
> Hmm, I think this would work fine except in the case that you want to
> redirect to a simple HTML file. If you are ok with always calling JSPs then
> there are no big disadvantages. At this point though we do have the other
> system working with no restrictions, so will probably stick to it.

It's true that this only works if your entire app is JSP pages.  I have found
that to be the case in nearly all the dynamic webapps I've written, so this can
be quite helpful.


See you at ApacheCon Europe <>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

View raw message