You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Laurie Harper <la...@holoweb.net> on 2007/04/07 21:02:22 UTC
Re: extending AuthorizeAction command in the composable request processor
chain
This is a question for the users list. The dev list is for the
discussion of developing Struts itself. Please re-post to the users list.
L.
atitus74@verizon.net wrote:
> Hello Everyone,
>
> I've been working on a web application here and I've come up with a situation where I feel that extending the AuthorizeAction command class would be a quality solution to a challenge I am facing. When I complete this I would be willing to contribute this back for others to use. Here is some necessary background on what I am trying to do. Sorry for the length on this:
>
> The application I am working on has complex requirements for role-based authorization checks. When the check fails and the user is not authorized, we do not want to just throw an exception or report an error. We want to direct the user to a page with instructions on how they can become authorized. Many of the actions will have different requirements, and therefore different checks and different pages with different instructions.
>
> I came up with what I thought was an elegant and cheerfully easy way to do this, but it has not been so easy as I thought. In the struts-config.xml file I define the action, including its roles, and I include a forward for where the instructions are located for users who fail the authorization checks. Here is an example of one of these actions:
>
> <action path="/orders/create"
> type="mypkg.CreateOrderAction"
> roles="createOrders">
> <forward name="unauthorized"
> path="/help/ordersHowTo.do"
> redirect="true"/>
> </action>
>
> I then wrote a class to replace the default AuthorizeAction class which is part of struts. It contains the complex logic which checks to see if the user has the createOrders role or not. If they do, it would return false to allow the chain to continue. If not, it would retrieve the ForwardConfig for "unauthorized", add it to the context, and then return true to break what I was hoping was the "process-action" sub-chain, and then the "process-view" chain which executes next would retrieve the ForwardConfig from the context and then send the user there. Unfortunately this does not work the way I was anticipating :-(
>
> What happens is that the chain stops completely at that point. This is where I get into trouble and I am hoping someone can point me in the right direction. Here is what the default servlet processing chain looks like for me:
>
> <chain name="servlet-standard">
>
> <!-- Establish exception handling filter -->
> <command className="org.apache.struts.chain.commands.ExceptionCatcher"
> catalogName="struts"
> exceptionCommand="servlet-exception"/>
>
> <lookup catalogName="struts"
> name="process-action"
> optional="false"/>
>
> <lookup catalogName="struts"
> name="process-view"
> optional="false"/>
>
> </chain>
>
> Is there a way that I can terminate the "process-action" chain early but still have it execute the "process-view" chain after? I will greatly appreciate any help or suggestions that you can offer.
>
> Best Regards,
> Aaron Titus
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org