struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken <>
Subject Re: Authorization Best Practices
Date Wed, 07 Jul 2010 18:11:32 GMT
On Wed, 2010-07-07 at 13:34 -0400, Dale Newfield wrote:

> On 7/7/10 1:28 PM, Amol Ghotankar wrote:
> > 2 . decide how much data to access.
> >
> > This I am really working something where struts2 intercepter will read what
> > role the user has and set some global role for that reqest which will be
> > read by dao to use to fetch the data.
> The interceptor cannot know independent of the action/business logic 
> what data will need to be fetched.  I don't think you can solve this 
> problem within struts  Even if you do, you've then built a toolset that 
> doesn't include any of these access restrictions in otherwise exposed 
> services.
> -Dale

This is a hand rolled solution I used:
Create an interceptor which checks if a User object exists when
accessing a secure package, if it does not exist redirect the user to a
login page and record the initial url (will redirect back to that page
after login).  I use hibernate... so the user object contains a
connection to the database.  If you're also using hibernate you'll
notice you can supply the specific "hibernate.cfg.xml" when establishing
the connection, by making this choice dependant on the particular user
you can supply different database connections or even restrict data
access.  In this case I think xml files are better than annotations as
you don't need to change the POJO which the *.hbm.xml files refer to.

Sorry I'm not sure I really understood the issue, but this helped me a
lot and was very easy to implement.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message