Martin Cooper wrote:
On Sun, 26 Sep 2004 22:40:18 +0800, liu ji <[EMAIL PROTECTED]> wrote:
I have just read the example. I don't see any clue that ageci solved the problem.
Although it can ensure the security in function level,it isn't very useful.
I can security my system in a high level not function level.
It also uses IOC which struts doesn't support.If I want to use it,I have to use spring.
Your example is the role checking.But the access control is more complex. For example,when user A want to edit his information,the URL maybe like this http://user/editProfile.do?id=userA.The editProfile.do use the id parameter to get the profile of user A.Before doing that the application should ensure whether the request is requested by user A.So the editProfile should compare the id parameter with the id property stored in the session.
Maybe more complex,for example,the id parameter indicate the order id.User may have a lot of orderid,they can only edit the order which wasn't shipped.How can ageci solve this?
Sorry,I ask a lot of questions,and may of them are irrelevant to struts.
They're not irrelevant, but I do think this discussion would be off on the user list rather than the dev list. There are many, many more people on that list, and I'm sure many of them have faced the same problem as you do and have implemented solutions to it. You'll get more ideas from people with experience in the problem if you ask your questions on that list.
While I'm here, though, one option for you would be to use struts-chain, in contrib, which will allow you to add whatever security checks you need, at whatever stage in the processing of a request you need, or want.
-- Martin Cooper
I would like to underscore this. This chain business is very exciting. Good stuff!
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
