struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Micael Padraig Og mac Grene <>
Subject Re: Struts declarative security policy? (was RE: Struts example - redundant login checking?)
Date Sat, 20 Apr 2002 22:20:19 GMT
I, for one, love the way these options are available.  They provide a 
mechanism to do whatever you need, I think.

At 01:46 PM 4/20/02 -0700, you wrote:

>On Thu, 18 Apr 2002, Dennis Doubleday wrote:
> > Date: Thu, 18 Apr 2002 10:56:11 -0400
> > From: Dennis Doubleday <>
> > Reply-To: Struts Users Mailing List <>
> > To: 'Struts Users Mailing List' <>
> > Subject: Struts declarative security policy? (was RE: Struts example -
> >     redundant login checking?)
> >
> > Seems to me that neither the jsp nor the action is the correct place to
> > enforce a security policy. It means both page designers and developers
> > have to remember to do it every time.
> >
>I agree.  A major purpose for the Struts example app is to ensure that you
>have Struts installed correctly, and I wanted to minimize the amount of
>container configuration you might have to do.
> > There ought to be (is there?) a mechanism for declaring a security
> > policy which can be referenced in struts-config.xml; i.e. access control
> > is just another property of an action mapping.
> >
>That is what container managed security, configured with the
><security-constraint> element in your /WEB-INF/web.xml file, is all about.
>Details of the supported syntax is in the Servlet Specification
>Mechanisms for setting up users, and assigning roles to them, depend on
>the container you are running, so you'll need to consult it's
>documentation.  For example, in a default Tomcat installation, you do this
>by editing the file "conf/tomcat-users.xml".
>If you choose to use the container-managed security capabilities, Struts
>offers you role-based actions and role-based templating options.  Your
>actions can themselves be sensitive to what role(s) a logged-on user is in
>by calling request.isUserInRole().
>To unsubscribe, e-mail:   <>
>For additional commands, e-mail: <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message