struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexis Gallagher <>
Subject Re: security roles per action mapping
Date Thu, 17 Oct 2002 11:12:16 GMT
Eddie & Vicc,

Thanks for your help on this. It got me started in the
right direction, and I found a solution that I thought
I'd share in case it's useful to someone else.

In the end, I created a custom subclass of
RequestProcess that overrides the processRoles() and
always returns true. It's less than 10 lines of code
in the end. This allows requests to reach my Action
base class, which reads the action roles attributes
and applies its own security logic.

Because the app was throwing me to the Tomcat
authentication error pages, I thought that Tomcat
container-managed security (CMS) was intercepting the
messages. This was false, and started me down the
blind alley of fiddling with constraints in web.xml.

But when I chased all the references to
ActionMapping.getRoles(), I found that Struts itself
was invoking tomcat's CMS by calling
HttpServletRequest.isUserInRole() in the
RequestProcessor class. Subclassing RequestProcessor
solves this problem.

I expect it would also work to filter requests and
override isUserInRole(). This is nice because it
doesn't involve customizing struts itself, but worries
me because it prevents me from actually using CMS if I
want to later on. Also, the filter class, the custom
request subclass, and the web.xml configs leave more
room for error.

Thanks for the help!

Like following a trail of

--- Eddie Bush <> wrote:
> Alexis Gallagher wrote:
> >Hello,
> >
> >I've gotten a lot of help just lurking on this
> list,
> >so I'm hoping my first question isn't too off base.
> >
> >I am trying to use the action "roles" parameter to
> >define fine-grained security constraints. However,
> >these constraints will apply to security roles
> which
> >are defined programmatically within my webapp and
> >which are net registered with the server's security
> >realm.
> >
> >So I'm wondering, is there a way to stop the server
> >from checking the "roles" parameter for its own
> >purposes, so that I can hijack it for my own?
> >
> >If I seem not just confused but totally off-base,
> I'll
> >stick the gory details of why I'm trying to do this
> in
> >a P.S..
> >
> You could write a filter and provide wrappers for
> the request that would 
> let you override the important functions.
> >Thanks,
> >Alexis Gallagher
> >
> >p.s. 
> >Why would I want to do disable the server's check
> of
> >security roles? Well, in my system every user can
> >belong to multiple projects, but he can only browse
> >one project at a time. A user has both a global
> >security role (admin vs. non-admin) but also a
> >per-project security role (manager vs. member,
> etc.). 
> >
> >My understanding is that container-managed security
> is
> >not intended to support a situation where a user's
> >role might changing depending on their position
> >session state (that is, what project they're
> >browsing). Also, container-managed security doesn't
> >have a vendor-neutral realm implementation.
> >
> >Nevertheless, it would be very convenient to
> >declaritively configure all these security
> >constraints, and I can just put the security logic
> my
> >action base class.
> >
> Well, I think the thing to do would be to maybe come
> up with some 
> additional roles for each project.  No, wait, you'd
> have to be modifying 
> your server config for every project.  Nevermind
> that ...
> It smells like you really do need a custom solution.
>  I think probably 
> writing a filter to wrap the request so you can
> override isUserInRole 
> would probably be the way to go.  You could then
> implement that method 
> (and any others you needed to) so that it would
> return the appropriate 
> result - after having consulted your database. 
> Ideally, what would 
> happen is you would load all roles associated with
> the user in something 
> (Map perhaps) and then just consult that
> (map.containsKey(roleName)). 
>  That way you're offsetting hitting the database for
> each request.  Of 
> course, if roles were added after a person logged
> in, they wouldn't have 
> them loaded.  The user would have to relog to effect
> the change.
> See version 2.3 of the servlet specification and the
> J2EE tutorial for 
> information about writing a filter that would do
> what you need to do. 
>  You're looking at using a Filter and ... what is it
> called ... 
> HttpServletRequestWrapper?  That's close, I believe.
> I feel like maybe there's a better solution to this
> - but it doesn't 
> occur to me what it might be.  Hopefully someone
> else has further insight.
> -- 
> Eddie Bush
> --
> To unsubscribe, e-mail:  
> <>
> For additional commands, e-mail:
> <>

Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message