I think you need to restructure your application. --b
On Sun, 26 Sep 2004 22:40:18 +0800, liu ji <[EMAIL PROTECTED]> wrote: > I have just read the example. > I don't see any clue that ageci solved the problem. > > Although it can ensure the security in function level,it isn't very useful. > > I can security my system in a high level not function level. > > It also uses IOC which struts doesn't support.If I want to use it,I have to > use spring. > > Your example is the role checking.But the access control is more complex. > For example,when user A want to edit his information,the URL maybe like > this http://user/editProfile.do?id=userA.The editProfile.do use the id > parameter to get the profile of user A.Before doing that the application > should ensure whether the request is requested by user A.So the editProfile > should compare the id parameter with the id property stored in the session. > > Maybe more complex,for example,the id parameter indicate the order id.User > may have a lot of orderid,they can only edit the order which wasn't > shipped.How can ageci solve this? > > Sorry,I ask a lot of questions,and may of them are irrelevant to struts. > > > > > ============================================== > Ji Liu > > >From: bryan <[EMAIL PROTECTED]> > >Reply-To: [EMAIL PROTECTED] > >To: liu ji <[EMAIL PROTECTED]>, Struts Developers List > <[EMAIL PROTECTED]> > >Subject: Re: why not extend struts to support access control? > >Date: Sun, 26 Sep 2004 13:40:01 +0200 > > > >it does support it, just depends on whether or not you correctly > >structured your > >application. > > > >Here is a sample app that I wrote to test it. > > > >https://jestate.dev.java.net/files/documents/1364/7000/ageci-quick-start.zip > > > > >There is ample documentation on their web site as well. > > > >--b > > > > > >On Sun, 26 Sep 2004 18:59:55 +0800, liu ji <[EMAIL PROTECTED]> wrote: > > > I don't think acegi security support the programmatic access control. > > > > > > By the way,how do you solve the programmatic access control problem? > > > > > > ============================================== > > > Ji Liu > > > > > > > > > >From: bryan <[EMAIL PROTECTED]> > > > >Reply-To: [EMAIL PROTECTED] > > > >To: Struts Developers List <[EMAIL PROTECTED]> > > > >Subject: Re: why not extend struts to support access control? > > > >Date: Sun, 26 Sep 2004 12:44:40 +0200 > > > > > > > >http://acegisecurity.sourceforge.net > > > > > > > >unless of course you feel an irresistable urge to reinvent the wheel > for > > > the > > > >10000000000000th time ...... > > > > > > > >--b > > > > > > > > > > > >On Sun, 26 Sep 2004 05:07:32 +0000, liu ji <[EMAIL PROTECTED]> > wrote: > > > > > Thank you. > > > > > I know filter can do this very well.But filter have some > drawbacks.I > > > don't > > > > > know how to express this,because of my poor English. > > > > > Without struts,I can use a single filter to delegate the request to > my > > > > > access control framework.I have already done this. > > > > > But when using struts,there will be some redundancies. > > > > > And I think struts should provide this. > > > > > > > > > > May a access control framework which doesn't denpend on struts is > more > > > > > attractive. > > > > > I want this kind framework. > > > > > Do you know where can I find one? > > > > > > > > > > ============================================== > > > > > Ji Liu > > > > > > > > > > >From: "Frank W. Zammetti (MLists)" <[EMAIL PROTECTED]> > > > > > >Reply-To: [EMAIL PROTECTED] > > > > > >To: "Struts Developers List" <[EMAIL PROTECTED]> > > > > > >Subject: Re: why not extend struts to support access control? > > > > > >Date: Sat, 25 Sep 2004 13:12:44 -0400 (EDT) > > > > > > > > > > > >I'm not sure I follow your reasoning... In terms of security, you > > > ALWAYS > > > > > >want a user to be authenticated and validated before ANY > > > application-level > > > > > >code executes, and in my mind, that very much includes input > > > validations. > > > > > >Filters provide this mechanism, before Struts comes into play, > which > > > is > > > > > >where it should happen. > > > > > > > > > > > >In an enterprise-class application, the trend, and rightly so I > think, > > > is > > > > > >to externalize security, meaning when a URL is requested, the web > > > server > > > > > >hands the user authentication piece off to some handler (like > > > Netegrity > > > > > >Siteminder as an example), so it's not the web server, app server > or > > > even > > > > > >a filter that handles checking if a user is valid for each > request. > > > > > > > > > > > >Am I missing something that might change my mind? > > > > > > > > > > > >-- > > > > > >Frank W. Zammetti > > > > > >Founder and Chief Software Architect > > > > > >Omnytex Technologies > > > > > >http://www.omnytex.com > > > > > > > > > > > > > > > > _________________________________________________________________ > > > > > éåçéåççîç MSN Explorer: http://explorer.msn.com/lccn > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > >--------------------------------------------------------------------- > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > _________________________________________________________________ > > > æîæææææåææÑæééçéîæçèçé?MSN Hotmailé? > http://www.hotmail.com > > > > > > > > _________________________________________________________________ > äèæçæåèèäæïèäç MSN Messenger: > http://messenger.msn.com/cn > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
