Without looking at things in gruesome detail, Ji Liu, I agree. +1
Hey, wait -- I thought you were the one warning us against bloating Struts!? :^)
>when the client want to access a url,validating theinput is the first thing application should do.If we use filter,the input maybe invalidate but user get "can't access".So we should do this after validate the input,and before perform the action.
Actually, I don't understand why one should validate input before assessing access privileges. If the user doesn't have permission to access, then the input is implicitly invalid, so why bother doing the input validation?
>Obviously,the class used by the config should obey>I think struts need to support this.some simples rule. Without edit the source code I already implement this in struts by extend the ActionMapping and RequestProcessor.But the config is so ugly.I have use a string which represent the config.
I think that the problem here is that access control is a pretty multifaceted and potentially complex aspect of an application, and one which is most likely to need to integrate with "home-grown" systems. I would be happy to look at a proposed API/configuration format and to consider how to make Struts work well with that, but I think it would be a great challenge to come up with a "universal" API for it.
Also, note that Struts does at least integrate with J2EE container based authentication, whatever problems that model has. If nothing else, it's a standard, which makes it easier for Struts to comply with it.
Joe
--
Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com "In fact, when I die, if I don't hear 'A Love Supreme,' I'll turn back; I'll know I'm in the wrong place."
- Carlos Santana
