struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Colomer <sylvain.colo...@free.fr>
Subject Re: Security question
Date Thu, 06 Jan 2005 00:01:02 GMT
I had quite a similar problem, but I didn't wanted to put security 
related code into my actions codes. I did that way:
- I created a new Digester RuleSet (declared in web.xml: "rulesets" 
init-param of Struts servlet) to extend Struts configuration 
(struts-config.xml) file with specific security tags, my actions 
declarations looked like this:

<action type="..." parameter="req" scope="request" ...>
    <security-checks defaultRoles="role1,role2">
       <dispatch-action name="method1" roles="role1,role3"/>
       ...
    </security-checks>
</action>

- I created a new RequestProcessor (extending 
org.apache.struts.action.RequestProcessor) overriding  processRoles to 
handle the security checks.


Barnett, Brian W. wrote:

>Well, I guess I'll proceed with that. Thank you.
>
>-----Original Message-----
>From: Chaikin, Yaakov Y. [mailto:YAAKOV.Y.CHAIKIN@saic.com] 
>Sent: Tuesday, January 04, 2005 1:55 PM
>To: 'Struts Users Mailing List'
>Subject: RE: Security question
>
>I don't know of any other way than to programmatically check user's role
>inside your Action's method. There is no way to specify attributes in the
><url-pattern> of the <security-constraint>. It just doesn't support such
>pattern matching.
>
>Yaakov.
>
>-----Original Message-----
>From: Jim Barrows [mailto:jbarrows@sssc.com]
>Sent: Tuesday, January 04, 2005 1:30 PM
>To: Struts Users Mailing List
>Subject: RE: Security question
>
>
>  
>
>>-----Original Message-----
>>From: Barnett, Brian W. [mailto:bbarnett@scholarinc.com]
>>Sent: Tuesday, January 04, 2005 11:04 AM
>>To: 'Struts Users Mailing List'
>>Subject: Security question
>>
>>
>>I'm using LookupDispatchAction and role-based security. I
>>want to allow
>>certain roles to access certain dispatches of an action. I'm
>>not sure what
>>the best way to handle this is.
>>
>>Should I create separate Action classes? Is there a slick way
>>to specify
>>"dispatch level" security in web.xml?
>>    
>>
>
>The container managed security is handled by URL.  Which might include
>parameters.
>If not you'll have to use one of the dispatch that requires a seperate URL
>to do this.
>
>Alternatively you'll have to put the security checks inside each method.
>
>  
>
>>Can someone point me to a good article(s) on using role-based
>>security in a
>>struts app that might address these issues?
>>
>>Thanks,
>>Brian
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>>    
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message