[ http://issues.apache.org/struts/browse/SHALE-149?page=comments#action_38014 ] Cyril Bouteille commented on SHALE-149: ---------------------------------------
I'd like to see the following features: 1) a declarative way to extend navigation rules with authorization requirements 2) an infrastructure to automatically forward requests to secured pages to a custom login page, while keeping context of the original request, so we can forward back to it after the authentication/authorization is completed on submit from the login page > [Shale] Support for fine grained security on navigation > ------------------------------------------------------- > > Key: SHALE-149 > URL: http://issues.apache.org/struts/browse/SHALE-149 > Project: Shale > Issue Type: Improvement > Environment: Operating System: other > Platform: Other > Reporter: Craig McClanahan > Priority: Minor > > Conversations on the Struts user mailing list today highlight the potential > for > a Shale value add with regards to authorization. It was noted that container > managed security can protect the incoming form submits, but does not protect > navigation to an arbitrary page (because constraints are only applied on the > initial submit, not on RequestDispatcher.forward() calls used to implement the > navigation). It would be interesting for Shale to offer a customized > navigation > handler that would allow limitation of navigation to specified view > identifiers > based on request.isUserInRole(). > As a further generalization, it would be useful to present this capability as > a > general purpose plugin architecture, where the application could provide any > sort of fine grained access control it wanted ("only managers can navigate to > the salary details page, and only for their own employees"). A built in > plugin > that supported container managed security could be a "reference > implementation" > of this featue. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/struts/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
