Hello, I'm trying to write a test app that allows a user to access actions based on their security role. Currently I'm using container based security, I was hoping to not have to tackle Acegi (I've done Struts 2, Hibernate, Spring, and JSP in the last couple of weeks, any more new java technology and I think my head will explode).
Basically, I've got two separate user roles - admin and translator. Depending on which role the user has, I want to show different links in the index page. Currently, I have 3 security-constraints: 1. /jsp/protected/index/* - with users admin and translator. 2. /jsp/protected/admin/* - with user admin. 3. /jsp/protected/translator/* - with user translator. My login-config is set to FORM, with the login page set to /jsp/login-redirect, which does a redirect to the login action, which goes to login.jsp (somewhat convoluted, I know, but there were issues with being able specify an action as the welcome page in Tomcat). Once the user has logged in, it runs the index action. This action uses the isUserInRole function, and puts objects in the session which describe which roles they are allowed to access. Then the index.jsp page checks for those objects, and shows the appropriate action links. My questions: 1. I'm very new at Struts and servlet technologies in general. I'm thinking that there might be ways for a user to add session objects, so they could just add an object to the session with same names that I am using for roles. Then my index.jsp page would give them access to actions that they shouldn't have (although they still shouldn't be able to use those actions, since the container should prevent that, correct?). Is this really the case, and if so, is there a way to directly check the user roles in the jsp page? 2. In my index.jsp, the links are set like so: href="<s:url action="/jsp/protected/translator/GetTerm_input"/>" Instead of resolving the link to something like ...TermsTranslator/jsp/protected/translator/GetTerm_input.action, it resolves to ...TermsTranslator/jsp/protected//jsp/protected/translator/GetTerm_input.action. It actually runs the actions, but there seems to be some problems with them (I haven't had time to do more debugging with them yet). Is this normal, or do I have the links screwed up somehow? 3. I don't yet fully understand the purpose of namespaces in the Struts package definition. Currently I have two packages, public and protected. Public has namespace="/jsp", and protected has namespace="/jsp/protected". Does this sound correct? Or should I have 4 packages, with namespaces /jsp, /jsp/protected/index, /jsp/protected/translator, and /jsp/protected/admin? Thanks for any ideas, suggestions, etc! Kelly -- View this message in context: http://www.nabble.com/Struts-2-Actions-based-on-Security-Roles-tp15885522p15885522.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]