You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Shilpa Vaidya <sh...@icici-infotech.com> on 2004/06/08 08:16:58 UTC
thanxs : Security and Struts (JAAS?)
Thanks Bill,
I guess, i would be customising the request processor as u mentioned.
this wud be one of the easy ways...of filtering.
1.As all action ie- *.do s pass through the request processor so i will keep
an authorisation check.
2. I can use hashmaps and session too.
Thanks. have a great day Of Struting.....!!!
Regards
shilpa
-----Original Message-----
From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Siggelkow
Sent: Friday, June 04, 2004 6:39 PM
To: user@struts.apache.org
Subject: Re: Security and Struts (JAAS?)
Ralf,
Forgive me if I misintrepreted what you are asking, but I believe what
you are wanting to use the Struts "role" attribute on actions for
application-managed security.
One way is to put a check on every page as was suggested and is done in
the Struts example.
Another way is to provide a custom RequestProcessor -- this is easier
than it sounds ...
The "roles" attribute on <action> is processed via the
RequestProcessor.processRoles() method. You will want to override this
method in a Custom Request Processor -- something like:
<code>
public class CustomRequestProcessor extends RequestProcessor {
protected boolean processRoles(HttpServletRequest request,
HttpServletResponse response,
ActionMapping mapping)
throws IOException, ServletException {
// Is this action protected by role requirements?
String roles[] = mapping.getRoleNames();
if ((roles == null) || (roles.length < 1)) {
return (true);
}
// Check the current user against the list of required roles
HttpSession session = request.getSession();
User user = (User) session.getAttribute("user");
if (user == null) {
return false;
}
for (int i = 0; i < roles.length; i++) {
if (user.hasRole(roles[i])) {
return (true);
}
}
response.sendError(HttpServletResponse.SC_BAD_REQUEST,
getInternal().getMessage("notAuthorized",mapping.getPath()));
return (false);
}
}
</code>
Ralf Bode wrote:
> Hi, i have a portal based on struts.
> and i have some public action.
> (e.g for listing news and so on)
> however.
> my problem is the protected area.
> i have two roles.
> ->customer
> ->supplier
>
> both login via ONE Action
> (i got their roles via their usernames...)
> okay, i saved something in session
> and did if(session...) in an action,
> before a user (a logged in) could
> do some stuff.
>
> it works okay, but only
> if the user enters a URL like
> host:8080/trashApp/cust/addStuff.do
> (for submitting a form)
> i got validation.errors ...
> because the execute() of my action is not called...
>
> so i figured out, that i can use ROLES-attribute
> for <action>. nice, but this is jaas, isn't it?
>
> now the (for me) interessting point.
> can i add a user (or roles) manually in my
> LogonAction.execute() ?
> and when, how?
>
> or how to deal generally?
> with two user-roles and ONE-LogonAction.class ?
>
> i also watched tomcat-app, that uses struts/jaas for
> authorization, but only with ONE role.
>
> so is there anyone out, how has a tip/solution
> for me?
>
> thanks alot!
>
> Ralf
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
--
"This e-mail message may contain confidential, proprietary or legally privileged information. It
should not be used by anyone who is not the original intended recipient. If you have erroneously
received this message, please delete it immediately and notify the sender. The recipient
acknowledges that ICICI Bank or its subsidiaries and associated companies, (collectively "ICICI
Group"), are unable to exercise control or ensure or guarantee the integrity of/over the contents of the information contained in e-mail transmissions and further acknowledges that any views
expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of ICICI Group.Before opening any attachments please check them for viruses and defects."
--
"This e-mail message may contain confidential, proprietary or legally privileged information. It
should not be used by anyone who is not the original intended recipient. If you have erroneously
received this message, please delete it immediately and notify the sender. The recipient
acknowledges that ICICI Bank or its subsidiaries and associated companies, (collectively "ICICI
Group"), are unable to exercise control or ensure or guarantee the integrity of/over the contents of the information contained in e-mail transmissions and further acknowledges that any views
expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of ICICI Group.Before opening any attachments please check them for viruses and defects."