You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Hal Klimer <ha...@yahoo.com> on 2004/07/05 20:52:09 UTC
Authorization and Authentication in Struts
I have a question on how to implement authorization and authentication with the
Struts framework. In several DB tables we have users, groups, permissions,
acls, etc where the security information is stored. We would like to integrate
this information, in the best possible way with Struts. From what I have read
so far it's seems that best place, perhaps, is to place this request validation
code is in the processPreprocess() or the processRoles() of a user extended
version of the RequestProcessor class. That way one could "look" at the request
first, validate it against the logged user and his ACL and decide to let him
pass or not. If this is the case how do I generate a "redirect" to a "not
allowed/no security" action (possibly by overriding the processActionPerform()
method) or just throw a NotAuthorizedException and let a global exception
handler in Struts take care of it?
Is this a correct path of action? Please excuse me if this has been already
talked about, maybe someone could lead me to previous discussions about how to
do this. Thanks in advance.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Authorization and Authentication in Struts
Posted by Shilpa Vaidya <sh...@icici-infotech.com>.
Hi ,
On these lines you can do Authorization and Authentication in Struts.
But it calls the tomcat 404 page, I am still doubtful as how to call a
customised page in this regards.
Can anyone help.
The below portion of code i believe should help in the given context.
Shilpa
private boolean _403 ( HttpServletRequest request, HttpServletResponse
response, ActionMapping mapping ) throws IOException
{
response.sendError ( HttpServletResponse.SC_FORBIDDEN, "No Access" );
return false;
}
public boolean allowAccess(String sRequestURL, ArrayList arrActions)
{
boolean bAllowAccess = false;
String tempURL="";
StringTokenizer stTok= new StringTokenizer(sRequestURL,".");
String beforeTemp =stTok.nextToken();
tempURL=beforeTemp.concat(".do");
if() {
//Compare or do all ur security checks in this function
bAllowAccess =true
}
}
}
return bAllowAccess;
}
protected boolean processRoles ( HttpServletRequest request,
HttpServletResponse response, ActionMapping mapping) throws IOException,
ServletException
{
if ( request.getSession ( false ) == null ) return _403 ( request,
response, mapping );
Roles objRoles = new Roles();
HashMap ht_roles;
//Another condition
if ( isWhiteSpace ( mapping.getRoles() ))
return true;
String sUrl = request.getServletPath();
ServletContext ctx =getServletContext();
HashMap hmRightsMap = (HashMap)ctx.getAttribute("rightsMap");
try
{
RightsReader rightreader = new RightsReader( );
ArrayList arrFinal=
rightreader.FilterRights(hmRightsMap,arrObtainrights);
//last security check
if(allowAccess(sUrl,arrFinal)==true)
return true;
}catch(Exception e)
{
e.printStackTrace();
}
//call the _403 method
return _403 ( request, response, mapping );
}
}
-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Hal Klimer
Sent: Tuesday, July 06, 2004 12:22 AM
To: user@struts.apache.org
Subject: Authorization and Authentication in Struts
I have a question on how to implement authorization and authentication with
the
Struts framework. In several DB tables we have users, groups, permissions,
acls, etc where the security information is stored. We would like to
integrate
this information, in the best possible way with Struts. From what I have
read
so far it's seems that best place, perhaps, is to place this request
validation
code is in the processPreprocess() or the processRoles() of a user extended
version of the RequestProcessor class. That way one could "look" at the
request
first, validate it against the logged user and his ACL and decide to let him
pass or not. If this is the case how do I generate a "redirect" to a "not
allowed/no security" action (possibly by overriding the
processActionPerform()
method) or just throw a NotAuthorizedException and let a global exception
handler in Struts take care of it?
Is this a correct path of action? Please excuse me if this has been already
talked about, maybe someone could lead me to previous discussions about how
to
do this. Thanks in advance.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
--
"This e-mail message may contain confidential, proprietary or legally privileged information. It
should not be used by anyone who is not the original intended recipient. If you have erroneously
received this message, please delete it immediately and notify the sender. The recipient
acknowledges that ICICI Bank or its subsidiaries and associated companies, (collectively "ICICI
Group"), are unable to exercise control or ensure or guarantee the integrity of/over the contents of the information contained in e-mail transmissions and further acknowledges that any views
expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of ICICI Group.Before opening any attachments please check them for viruses and defects."