Andrew, I forgot to follow up on this, sorry. I implemented a Stripes interceptor (based on the sample provided on the Stripes website). Works like a charm, together with a Jaas login module (authentication against RACF) and a basic login.jsp the problem is now solved elegantly.
thanks for the hint. regards, Harry 2008/11/27 Harry Metske <[email protected]> > yes I have read about that but wasn't sure if it would help me. > the important point thing you say here is "forward the user as needed to a > login or "unauthorized" page if the role check fails" with the emphasis on > login page. > So if I understand it correctly, users that don't have an account should > still be able to use the "Read functions" that way. > > I'll have a look at it and see if I can make it work, thanks for the help ! > > regards, > Harry > > 2008/11/27 Andrew Jaquith <[email protected]> > > I am not sure if this will be possible, but it seems to me that you should >> not have to use multiple URLs for the scenario you described. >> >> For role-based access to particular ActionBean methods, I recommend >> annotating the handler methods (read, edit etc) with annotations that denote >> the roles that are allowed to execute them. Then, you would provide an >> Interceptor implementation that fires after event resolution but before >> validation. The Interceptor's job would be to make the authorization >> decision and forward the user as needed to a login or "unauthorized" page if >> the role check fails. >> >> This is actualy a pretty simple and elegant approach because you don't >> need to modify ActionBeans, or use separate URL schemes, to do it. This >> Interceptor-based approach is the strategy JSPWiki 3 takes. >> >> There is a community-developed SecurityInterceptor floating around on the >> Stripes site somewhere. You should take a look at that first. >> >> Regards, >> >> Andrew >> >> >> On Nov 26, 2008, at 16:01, Harry Metske <[email protected]> wrote: >> >> Andrew, >>> >>> will it then be possible to have more than one URL bound to the same >>> ActionBean ? >>> I ask because I currently work on a simple Stripes based CRUD >>> application, >>> and I'm using the same ActionBean for all actions (Create, Read, Update, >>> Delete). >>> I want read to be publicly available, but the others should be J2EE >>> protected with a security-constraint. >>> So would it be possible to have 2 URLs , like : >>> /nonpub/MyActionBean >>> /pub/MyActionBean >>> Where only the first one is protected. >>> Of course, there is some additional security checking required in the >>> ActionBean. >>> >>> regards, >>> Harry >>> >>> 2008/11/26 Andrew Jaquith <[email protected]> >>> >>> FYI -- >>>> >>>> Ben Gunter @ the Stripes project just committed a new enhancement that >>>> I'd >>>> requested in August, namely the ability to create ActionBean URLBindings >>>> from arbitrary String patterns. It will ship in 1.5.1. >>>> >>>> This is excellent news because it makes it possible for third parties >>>> (like >>>> us) to fairly easily create, for example, URLBinding patterns that are >>>> read >>>> from text files. This gives us an option for binding URLs to ActionBeans >>>> other than the default method, which is to get them from class >>>> annotations. >>>> My intent is to create a FileActionResolver to do this, at a slightly >>>> later >>>> point in the 3.0 dev cycle. >>>> >>>> For the Americans on this list -- happy Thanksgiving. >>>> >>>> Andrew >>>> >>>> >> >
