struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexis Gallagher <>
Subject security roles per action mapping
Date Wed, 16 Oct 2002 14:28:30 GMT

I've gotten a lot of help just lurking on this list,
so I'm hoping my first question isn't too off base.

I am trying to use the action "roles" parameter to
define fine-grained security constraints. However,
these constraints will apply to security roles which
are defined programmatically within my webapp and
which are net registered with the server's security

So I'm wondering, is there a way to stop the server
from checking the "roles" parameter for its own
purposes, so that I can hijack it for my own?

If I seem not just confused but totally off-base, I'll
stick the gory details of why I'm trying to do this in
a P.S..

Alexis Gallagher

Why would I want to do disable the server's check of
security roles? Well, in my system every user can
belong to multiple projects, but he can only browse
one project at a time. A user has both a global
security role (admin vs. non-admin) but also a
per-project security role (manager vs. member, etc.). 

My understanding is that container-managed security is
not intended to support a situation where a user's
role might changing depending on their position
session state (that is, what project they're
browsing). Also, container-managed security doesn't
have a vendor-neutral realm implementation.

Nevertheless, it would be very convenient to
declaritively configure all these security
constraints, and I can just put the security logic my
action base class.

Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message