How to minimize security related code in Action classes

["Barnett, Brian W." <br...@pearson.com>]

Can someone point me to some articles or provide some examples on how to
minimize security related code (authorization) in my Action classes? I am
currently using container-managed, form-based security (Tomcat) for
authentication and <security-contraint> and <security-role> elements in
web.xml.

The problem is that I'm not sure how best to have finer grained control of
which roles can do what. For example, I have a UserAction class with methods
that allow edit, add and delete of users. I want some roles to be able to
add and edit but not delete.

The urls might look something like this:
http://www.myapp.com/do/user?Dispatch=add
<http://www.myapp.com/do/user?Dispatch=add> 
http://www.myapp.com/do/user?Dispatch=edit&id=5
<http://www.myapp.com/do/user?Dispatch=edit&id=5> 
http://www.myapp.com/do/user?Dispatch=delete&id=5
<http://www.myapp.com/do/user?Dispatch=delete&id=5> 

But web.xml allows url-patterns based on actions:
<url-pattern>/do/user/*</url-pattern>

So do I have to create a separate Action class for each one so that it is a
different URL? Right now I have code that checks in edit, add and delete
methods inside UserAction to see if the logged in user has the correct role.

Any suggestions would be appreciated.

TIA,
Brian Barnett

**************************************************************************** 
This email may contain confidential material. 
If you were not an intended recipient, 
Please notify the sender and delete all copies. 
We may monitor email to and from our network. 
****************************************************************************

Re: How to minimize security related code in Action classes

[Adam Hardy <ah...@cyberspaceroad.com>]

Barnett, Brian W. on 07/10/05 21:16, wrote:
> Can someone point me to some articles or provide some examples on how to
> minimize security related code (authorization) in my Action classes? I am
> currently using container-managed, form-based security (Tomcat) for
> authentication and <security-contraint> and <security-role> elements in
> web.xml.
> 
> The problem is that I'm not sure how best to have finer grained control of
> which roles can do what. For example, I have a UserAction class with methods
> that allow edit, add and delete of users. I want some roles to be able to
> add and edit but not delete.
> 
> The urls might look something like this:
> http://www.myapp.com/do/user?Dispatch=add
> <http://www.myapp.com/do/user?Dispatch=add> 
> http://www.myapp.com/do/user?Dispatch=edit&id=5
> <http://www.myapp.com/do/user?Dispatch=edit&id=5> 
> http://www.myapp.com/do/user?Dispatch=delete&id=5
> <http://www.myapp.com/do/user?Dispatch=delete&id=5> 
> 
> But web.xml allows url-patterns based on actions:
> <url-pattern>/do/user/*</url-pattern>
> 
> So do I have to create a separate Action class for each one so that it is a
> different URL? Right now I have code that checks in edit, add and delete
> methods inside UserAction to see if the logged in user has the correct role.

This is v. late but in case you are still wondering, combining 
authorization with dispatch action is probably best done within a 
superclass. I'm not a dispatch action expert so perhaps I shouldn't 
answer this, but I would check out the possibility of sandwiching a 
class inbetween dispatch action and your own actions, and put the 
authorization code in there.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re:How to minimize security related code in Action classes

[ooper <ma...@roomity.com>]

Yes, I am still wondering. Thanks Adam, I'll look into your suggestion.


-------------------------------------------------------------
<a href="http://Struts_User_List.roomity.com">roomity.com</a>
Your Roomity Broadband Webapp ~~1129041675336~~
-------------------------------------------------------------