struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Max Cooper" <>
Subject Re: Actions based on Role
Date Thu, 27 Mar 2003 23:25:37 GMT
My first suggestion would be to look into container managed security, and
after that look my filter-based clone of container-managed security,, that works the same (you don't have
to change your app) but has a few little differences to get around things I
didn't like with container-managed security. By using one of these
solutions, you could use the Action role stuff in struts-config.xml.

If you want to adapt your current security system and be able to use the
struts-config.xml declarative roles stuff, you need to morph it into a
filter so that you can wrap the HttpRequests that come in to implement
request.isUserInRole(). request.getUserPrincipal() and
request.getRemoteUser() are the two other most important methods to
implement in your RequestWrapper class to allow Struts and other software to
make use of the security info.

Another alternative is to modify the Struts classes to make calls to your
custom security infrastructure.

Otherwise, you pretty much have to do all of your own programmatic security
against whatever proprietary API your security system has.

Also, the standard relationship between users and roles is many-to-many. A
user can have many roles, and a role can be had by many users. If you want
to harness the full power of this relationship, you'll need to drop the role
column from your user table, add a role table, and add a user_role mapping
table. Fortunately, it becomes pretty easy to use container-managed security
with a schema like that, as you can use stuff like Tomcat's JDBCRealm.


----- Original Message -----
From: "Jagadeesan,Sivakumar" <>
To: "'Struts Users Mailing List'" <>
Sent: Thursday, March 27, 2003 2:50 PM
Subject: RE: Actions based on Role

> I guess I have to do that way
> So I have manually chk every time whether that user is authorized to
> this Action, rather then having it in struts-config.xml which is more
> configurable
> -----Original Message-----
> From: Edgar Dollin [mailto:Edgar@BLUE-MOOSE.NET]
> Sent: Thursday, March 27, 2003 4:55 PM
> To: 'Struts Users Mailing List'
> Subject: RE: Actions based on Role
> If you use a filter, to filter actions based on role, the action wouldn't
> have to know about security.  If your authentication sticks the user
> information into the session, the action could make decisions based on the
> user information.
> Edgar
> > -----Original Message-----
> > From: Jagadeesan,Sivakumar
> > []
> > Sent: Thursday, March 27, 2003 3:50 PM
> > To: 'Struts Users Mailing List'
> > Subject: Actions based on Role
> >
> >
> > I have web application where users could of three types (Roles)
> >
> > 1) Basic User
> > 2) Silver User
> > 3) Gold User
> >
> > According to Type / Role of user some actions could be
> > performed or not performed.
> >
> > I could set in my stuts-config.xml, the role based access in
> > Action Element
> >
> > I am having my own authentication System that uses the
> > database . The User table has the userName and also the Role.
> >
> > I am not sure how could I create a Role that the Action is
> > expecting , if I am using my own authentication
> >
> > Thanx
> > --Siva Jagadeesan
> >
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message