You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by ji liu <li...@yahoo.com> on 2004/09/25 11:40:06 UTC
why not extend struts to support access control?
when build a large web based application,access
control is required.For example user A can't access
user B's private imformations.In order to do so,we
should code the access control logic in
controllers.But when the access control logic is
changed,the controlllers will be changed.So someone
suggest to use filter.Yes,filter can do this very
well.But I think we miss something.
when the client want to access a url,validating the
input is the first thing application should do.If we
use filter,the input maybe invalidate but user get
"can't access".So we should do this after validate the
input,and before perform the action.
If I don't use struts,there will be no problem.But I
use struts and validator.I hava seen the source code,I
can't find a method to implement this mechanism
without change the source code.
I already get an idea.if the struts-config.xml can
support these tags:
<action path="URL">
<!--action declaration--!>
<access class="className">
<property name="propertyName" value="value">
<!--other property--!>
<method name="method1"/>
<!--other method--!>
<access>
<!--other access--!>
</action>
This config means when client access URL,the access
control will use the class declared in the "access>"
element,and use the method decleard in the "method"
element.The properties of the access control class is
set by the "property" element.
take a simple config for example:
<action path="URL">
<!--action declaration--!>
<access class="class1">
<property name="name" value="Ji Liu">
<method name="method1"/>
<method name="method2"/>
<access>
<access class="class2">
<property name="role" value="user">
<method name="method3"/>
<access>
</action>
this config means when client requests URL,the
application create an object by class1 and set its
property "name" using value "Ji Liu".Then use the
object's method "method1" and "method2" to check the
rights.After that another object is created by
class2,and initialized its property "role" as
"user",then use method "method3" to check.
Obviously,the class used by the config should obey
some simples rule.
Without edit the source code I already implement this
in struts by extend the ActionMapping and
RequestProcessor.But the config is so ugly.I have use
a string which represent the config.
I think struts need to support this.
=====================================================
I apologized to your for may poor English. English
isn't my first language.So I think it will be a little
bit difficult to understand what I want to express.
:)
Ji Liu
_________________________________________________________
Do You Yahoo!?
150万曲MP3疯狂搜,带您闯入音乐殿堂
http://cn.rd.yahoo.com/mail_cn/tag/yisou/music/*http://music.yisou.com/
美女明星应有尽有,搜遍美图、艳图和酷图
http://cn.rd.yahoo.com/mail_cn/tag/yisou/image/*http://image.yisou.com
1G就是1000兆,雅虎电邮自助扩容!
http://cn.rd.yahoo.com/mail_cn/tag/1g/*http://cn.mail.yahoo.com/event/mail_1g/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org