> -----Original Message----- > From: Rickard Öberg [mailto:[EMAIL PROTECTED]] > > Good point. I agree with that. But, there's still a need to > add roles to > xwork.xml I think, for the cases where the actions are > invoked by other > actions, or by some dispatcher other then a servlet controller. >
Hmm... I think this is an important check to make during invocation, but where would these roles be defined? If this is supposed to span across more than the web, then you can't depend on J2EE security and its user/role model. In J2EE, you can use isUserInRole(), but what do you do for Swing? This is why I said I think it's best to leave all security stuff outside the scope of Xwork and let that be app specific. Checking the user role using your custom user/role framework can be built into a custom dispatcher or a base action class. Or we could develop a SecureDispatcher based on OSUser, which would allow you to use all of the different providers OSUser has pre-built, which could work in a J2EE container, or outside. On the flip side, I think for the web case, we need to make it at least possible (if not default) to pin actions to certain URL paths, to allow external security to be applied. > > Also, what should happen if an action is invoked through an <include> > and is not allowed access to. This is by far the most common > case I have > anyway (I don't have ANY other case). How would that work? > Not sure. Some kind of IllegalAccessException, I would suspect. Jason ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
