You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by MOHAN RADHAKRISHNAN <mr...@cellexchange.com> on 2004/04/03 13:56:41 UTC
'anonymous' role
Hi
In our current CMA implementation for role check , we have an
'anonymous' role. Now this role is supposed to work without logging into the
application. Do you have any idea how to implement this ?
As far as I know there is no CMA without logging in and so I have to
block the call in the filter and duplicate lot of code and divert the hit.
Any ideas ?
Mohan
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: 'anonymous' role
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
On 04/03/2004 01:56 PM MOHAN RADHAKRISHNAN wrote:
> Hi
> In our current CMA implementation for role check , we have an
> 'anonymous' role. Now this role is supposed to work without logging into the
> application. Do you have any idea how to implement this ?
>
> As far as I know there is no CMA without logging in and so I have to
> block the call in the filter and duplicate lot of code and divert the hit.
>
> Any ideas ?
I think this is a feature that is lacking in tomcat - or rather in the
servlet spec.
In a J2EE EJB container environment, I believe non-logged-in users have
the role 'anonymous' (or is it just the principal?)
Obviously this doesn't help you but it demonstrates that the EJB
specification authors envisaged this as a problem needing a solution, so
perhaps in the future, the servlet container will also allow this.
In the meantime, you could write wrappers for HttpServletRequest so that
you can override the isUserInRole method, and apply them via a filter.
Adam
--
struts 1.2 + tomcat 5.0.19 + java 1.4.2
Linux 2.4.20 Debian
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: 'anonymous' role
Posted by Bill Siggelkow <bi...@bellsouth.net>.
You are essentialy correct, Mohan. CMA is not come into play unless the
user attempts access to a protected resource. One thing you could do
was assume that if 'getUserPrincipal()' returns null then the user has
not logged in and is therefore in the 'anonymous' role.
If you want more flexibility and still want to use the "isUserInRole"
method you might want to look into Security Filter
(http://securityfilter.sourceforge.net).
MOHAN RADHAKRISHNAN wrote:
> Hi
> In our current CMA implementation for role check , we have an
> 'anonymous' role. Now this role is supposed to work without logging into the
> application. Do you have any idea how to implement this ?
>
> As far as I know there is no CMA without logging in and so I have to
> block the call in the filter and duplicate lot of code and divert the hit.
>
> Any ideas ?
>
> Mohan
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org