Hi all. I've been thinking about how the j2ee front controller pattern (used by Struts et al.) does/does not take advantage of url-based authorization constraints in web.xml. I want to avoid having to check roles in my own code as much as possible. At first I thought I could declare a URL like /somewebapp/somerole/* to require the "somerole" role before being allowed access to my controller servlet. Another URL would be /somewebapp/someotherrole/* but would map to the same servlet. That servlet would then pick off the action at the end of the URL and execute it. However, while I can restrict access to the servlet, or whatever other "physical" resource I'm trying to protect, what I really want to protect is the action that's executed. Am I just stuck with enumerating all possible actions in by web.xml (/somewebapp/somerole/someaction, /somewebapp/somerole/someotheraction, etc.)? Should I instead make a filter that enforces this for me? I'm facing the same problem with Apache SOAP's rpcrouter.
thanks john -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
