If you check the mailing list archives, you will find a much more eloquent discourse on why Struts should not support access control than I can provide, written by Craig some time ago.
The basic reasoning is that there are almost as many solutions to the problem as there are web applications in existence today. These range from those entirely external to the web app to those completely homegrown and tightly integrated with the web app. If we were to decide to add something to Struts, whatever we added would work for some small subset of applications and be irrelevant for the rest. -- Martin Cooper On Sat, 25 Sep 2004 22:47:08 +0800 (CST), ji liu <[EMAIL PROTECTED]> wrote: > when build a large web based application,access > control is required.For example user A can't access > user B's private imformations.In order to do so,we > should code the access control logic in > controllers.But when the access control logic is > changed,the controlllers will be changed.So someone > suggest to use filter.Yes,filter can do this very > well.But I think we miss something. > when the client want to access a url,validating the > input is the first thing application should do.If we > use filter,the input maybe invalidate but user get > "can't access".So we should do this after validate the > input,and before perform the action. > If I don't use struts,there will be no problem.But I > use struts and validator.I hava seen the source code,I > can't find a method to implement this mechanism > without change the source code. > I already get an idea.if the struts-config.xml can > support these tags: > <action path="URL"> > <!--action declaration--!> > <access class="className"> > <property name="propertyName" value="value"> > <!--other property--!> > <method name="method1"/> > <!--other method--!> > <access> > <!--other access--!> > </action> > This config means when client access URL,the access > control will use the class declared in the "access>" > element,and use the method decleard in the "method" > element.The properties of the access control class is > set by the "property" element. > take a simple config for example: > <action path="URL"> > <!--action declaration--!> > <access class="class1"> > <property name="name" value="Ji Liu"> > <method name="method1"/> > <method name="method2"/> > <access> > <access class="class2"> > <property name="role" value="user"> > <method name="method3"/> > <access> > </action> > this config means when client requests URL,the > application create an object by class1 and set its > property "name" using value "Ji Liu".Then use the > object's method "method1" and "method2" to check the > rights.After that another object is created by > class2,and initialized its property "role" as > "user",then use method "method3" to check. > > Obviously,the class used by the config should obey > some simples rule. > Without edit the source code I already implement this > in struts by extend the ActionMapping and > RequestProcessor.But the config is so ugly.I have use > a string which represent the config. > I think struts need to support this. > ===================================================== > I apologized to your for may poor English. English > isn't my first language.So I think it will be a little > bit difficult to understand what I want to express. > :) > > Ji Liu > > _________________________________________________________ > Do You Yahoo!? > 150äæMP3ççæïåæéåéäæå > http://cn.rd.yahoo.com/mail_cn/tag/yisou/music/*http://music.yisou.com/ > çåææåæåæïæéçåãèååéå > http://cn.rd.yahoo.com/mail_cn/tag/yisou/image/*http://image.yisou.com > 1Gåæ1000åïéèçéèåæåï > http://cn.rd.yahoo.com/mail_cn/tag/1g/*http://cn.mail.yahoo.com/event/mail_1g/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
