struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mohan Radhakrishnan" <>
Subject RE: Design question regarding struts security features
Date Mon, 29 Dec 2003 13:13:49 GMT
   Are you only filtering data based on role ?

   If you are talking about role-based access of views then we are doing
something like that

   1. You can use Container Manager Authentication and restrict access to
URL patterns to only valid users.
   2. You can use the vendor-specify XML file to specify roles and groups.
(e.g) principals.xml in OC4J
   3. You can use a vendor-specific API like the 'DataSourceUserManager' in
OC4J to write custom code that can access your tables and do away with
hard-coded principals.xml
   I think you can also use the role attribute in struts-config.xml and
restrict access actions. Tiles has a role attribute too ? though we are not
using that.


-----Original Message-----
From: Patrick Scheuerer []
Sent: Monday, December 29, 2003 5:07 AM
To: Struts Users List
Subject: Design question regarding struts security features

Hello everybody,

I'm in the process of developing my first Struts application, so forgive
me if this question is insulting everybody's intellect.

The application I'm working on is a support portal where you can
download technical document, drivers etc. The tricky part is, that
certain documents should be only accessible to users with a certain role.

My idea so far is to put a user object in the session and to evaluate
the role (and therefore the access level) of the user for all views that
are displaying  data which might be restricted.
I guess the easiest way would be using a jsp tag like
<security:checkAccessLevel /> which would retrieve the user object from
the session (if it exists) and the then filter the data accordingly. Is
there such "security taglib" around?

Has anybody worked on a similar scenario? What is the best approach to
solve this problem? Is there a best practice for it? Any tips, hints,
code snippets are welcome.

Thank you very much.


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message