Hello,
I'm trying to write a test app that allows a user to access actions based on
their security role. Currently I'm using container based security, I was
hoping to not have to tackle Acegi (I've done Struts 2, Hibernate, Spring,
and JSP in the last couple of weeks, any more new java technology and I
think my head will explode).
Basically, I've got two separate user roles - admin and translator.
Depending on which role the user has, I want to show different links in the
index page.
Currently, I have 3 security-constraints:
1. /jsp/protected/index/* - with users admin and translator.
2. /jsp/protected/admin/* - with user admin.
3. /jsp/protected/translator/* - with user translator.
My login-config is set to FORM, with the login page set to
/jsp/login-redirect, which does a redirect to the login action, which goes
to login.jsp (somewhat convoluted, I know, but there were issues with being
able specify an action as the welcome page in Tomcat).
Once the user has logged in, it runs the index action. This action uses the
isUserInRole function, and puts objects in the session which describe which
roles they are allowed to access. Then the index.jsp page checks for those
objects, and shows the appropriate action links.
My questions:
1. I'm very new at Struts and servlet technologies in general. I'm
thinking that there might be ways for a user to add session objects, so they
could just add an object to the session with same names that I am using for
roles. Then my index.jsp page would give them access to actions that they
shouldn't have (although they still shouldn't be able to use those actions,
since the container should prevent that, correct?). Is this really the
case, and if so, is there a way to directly check the user roles in the jsp
page?
2. In my index.jsp, the links are set like so:
href="<s:url action="/jsp/protected/translator/GetTerm_input"/>"
Instead of resolving the link to something like
...TermsTranslator/jsp/protected/translator/GetTerm_input.action, it
resolves to
...TermsTranslator/jsp/protected//jsp/protected/translator/GetTerm_input.action.
It actually runs the actions, but there seems to be some problems with
them (I haven't had time to do more debugging with them yet). Is this
normal, or do I have the links screwed up somehow?
3. I don't yet fully understand the purpose of namespaces in the Struts
package definition. Currently I have two packages, public and protected.
Public has namespace="/jsp", and protected has namespace="/jsp/protected".
Does this sound correct? Or should I have 4 packages, with namespaces /jsp,
/jsp/protected/index, /jsp/protected/translator, and /jsp/protected/admin?
Thanks for any ideas, suggestions, etc!
Kelly
--
View this message in context:
http://www.nabble.com/Struts-2-Actions-based-on-Security-Roles-tp15885522p15885522.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
