I'm not sure I follow your reasoning... In terms of security, you ALWAYS want a user to be authenticated and validated before ANY application-level code executes, and in my mind, that very much includes input validations. Filters provide this mechanism, before Struts comes into play, which is where it should happen.
In an enterprise-class application, the trend, and rightly so I think, is to externalize security, meaning when a URL is requested, the web server hands the user authentication piece off to some handler (like Netegrity Siteminder as an example), so it's not the web server, app server or even a filter that handles checking if a user is valid for each request. Am I missing something that might change my mind? -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Sat, September 25, 2004 11:05 am, Michael McGrady said: > Without looking at things in gruesome detail, Ji Liu, I agree. +1 > > ji liu wrote: > >>when build a large web based application,access >>control is required.For example user A can't access >>user B's private imformations.In order to do so,we >>should code the access control logic in >>controllers.But when the access control logic is >>changed,the controlllers will be changed.So someone >>suggest to use filter.Yes,filter can do this very >>well.But I think we miss something. >>when the client want to access a url,validating the >>input is the first thing application should do.If we >>use filter,the input maybe invalidate but user get >>"can't access".So we should do this after validate the >>input,and before perform the action. >>If I don't use struts,there will be no problem.But I >>use struts and validator.I hava seen the source code,I >>can't find a method to implement this mechanism >>without change the source code. >>I already get an idea.if the struts-config.xml can >>support these tags: >><action path="URL"> >> <!--action declaration--!> >> <access class="className"> >> <property name="propertyName" value="value"> >> <!--other property--!> >> <method name="method1"/> >> <!--other method--!> >> <access> >> <!--other access--!> >> </action> >>This config means when client access URL,the access >>control will use the class declared in the "access>" >>element,and use the method decleard in the "method" >>element.The properties of the access control class is >>set by the "property" element. >>take a simple config for example: >><action path="URL"> >> <!--action declaration--!> >> <access class="class1"> >> <property name="name" value="Ji Liu"> >> <method name="method1"/> >> <method name="method2"/> >> <access> >> <access class="class2"> >> <property name="role" value="user"> >> <method name="method3"/> >> <access> >></action> >>this config means when client requests URL,the >>application create an object by class1 and set its >>property "name" using value "Ji Liu".Then use the >>object's method "method1" and "method2" to check the >>rights.After that another object is created by >>class2,and initialized its property "role" as >>"user",then use method "method3" to check. >> >>Obviously,the class used by the config should obey >>some simples rule. >>Without edit the source code I already implement this >>in struts by extend the ActionMapping and >>RequestProcessor.But the config is so ugly.I have use >>a string which represent the config. >>I think struts need to support this. >>===================================================== >>I apologized to your for may poor English. English >>isn't my first language.So I think it will be a little >>bit difficult to understand what I want to express. >>:) >> >>Ji Liu >> >>_________________________________________________________ >>Do You Yahoo!? >>150万曲MP3疯狂搜,带您闯入音乐殿堂 >>http://cn.rd.yahoo.com/mail_cn/tag/yisou/music/*http://music.yisou.com/ >>美女明星应有尽有,搜遍美图、艳图和酷图 >>http://cn.rd.yahoo.com/mail_cn/tag/yisou/image/*http://image.yisou.com >>1G就是1000兆,雅虎电邮自助扩容! >>http://cn.rd.yahoo.com/mail_cn/tag/1g/*http://cn.mail.yahoo.com/event/mail_1g/ >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >> >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
