struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sloan Seaman" <sl...@sgi.net>
Subject Re: Best place for security checks in Struts?
Date Tue, 08 Jul 2003 19:27:30 GMT
You could have a class that is an Action (say, named SecureAction) and then
have all of the actions in the struts file extend SecureAction and implement
a method called executeSecure() (not execute()!)

What then happens is your action in the Strust config (say, named ShowUser)
gets called by Struts but since it extends SecureAction, Struts calls
SecureAction's execute().  It then checks security and if it's good it calls
executeSecure() which is the method that ShowUser overwrote.

If the security doesn't pass, then SecureAction never calls executeSecure...
and there ya go.

You can then define the security on a per action basis by making your own
ActionMappping object and doing something like:
<set-property property="ROLE" value="ADMIN"/>

That is how I did it for a while and it worked great...

--
Sloan

----- Original Message ----- 
From: "Sandeep Takhar" <sandeep_takhar@yahoo.com>
To: "Struts Users Mailing List" <struts-user@jakarta.apache.org>
Sent: Tuesday, July 08, 2003 2:44 PM
Subject: Re: Best place for security checks in Struts?


> This is the requestProcessor.
>
> Sorry for that.  I am busy doing work and then I
> answer a question...
>
> The way I think of it is that there is a
> requestProcessor for each struts-config.  (You declare
> it here).  So if you have multiple modules, you could
> theoretically have a different processor for each one.
>
> sandeep
> --- David Erickson <derickson@cmcflex.com> wrote:
> > And which class is the procesRoles method in?
> >
> > ----- Original Message ----- 
> > From: "Sandeep Takhar" <sandeep_takhar@yahoo.com>
> > To: "Struts Users Mailing List"
> > <struts-user@jakarta.apache.org>
> > Sent: Tuesday, July 08, 2003 9:47 AM
> > Subject: Re: Best place for security checks in
> > Struts?
> >
> >
> > > There must be a diagram that shows all the calls
> > > before
> > > it actually hits execute() method.  There are
> > quite a
> > > few.
> > >
> > > If you have a base action you can override one of
> > them
> > >
> > > processRoles seems to be a logical place...
> > >
> > > sandeep
> > > --- David Erickson <derickson@cmcflex.com> wrote:
> > > > Hi I am setting up my webapp for security, had a
> > big
> > > > thread about it last
> > > > week, we've implemented filters to handle all
> > the
> > > > static filters sitting
> > > > around, but would also like to put some security
> > > > into the struts actions
> > > > themselves.  I'm trying to figure out where the
> > best
> > > > place to implement the
> > > > checks would be, if I need to extend the class
> > that
> > > > actually calls the
> > > > actions, or if I should extend the base action
> > and
> > > > insert checks, or what
> > > > the best thing to do would be.  Somehow each of
> > the
> > > > actions needs to have a
> > > > name assigned to it to check against as well,
> > and
> > > > the information will be
> > > > pulled from a user bean stored in the session
> > > > variable.
> > > >
> > > > Thanks in advance!
> > > > -David
> > > >
> > > >
> > > >
> > >
> >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail:
> > > > struts-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail:
> > > > struts-user-help@jakarta.apache.org
> > > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > SBC Yahoo! DSL - Now only $29.95 per month!
> > > http://sbc.yahoo.com
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> > >
> > >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>


________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message