I created a RoleActionFilter and RoleRestricted interface that our actions implement 
which returns a String[] of acceptable roles. The RoleActionFilter gets the Action 
using the ActionFactory and, if it implements RoleRestricted, it checks the role of 
the current user against the acceptable roles and either allows access or throws a 
ServletException.

All of this is MUCH cleaner in WW2 where namespaces make Actions pinned to certain 
paths (or not, your decision, but at least you CAN decide).

Jason

> -----Original Message-----
> From: Anders Engström [mailto:[EMAIL PROTECTED] 
> Sent: Friday, March 07, 2003 9:17 AM
> To: [EMAIL PROTECTED]
> Subject: [OS-webwork] WW and J2EE based security
> 
> 
> 
> Howdy.
> 
> Is there a "best-practice" for using J2EE container managed 
> security with WebWork 1.3 (<security-constrainy> etc. in web.xml)?
> 
> I've discussed some possible strategies with Joseph 
> (Ottinger) on irc, but none of them seem natural.
> 
> 1 - prefix action mappings with secured-theaction.action in 
> views.properties and restrict access to these mappings in web.xml.
> 
> 2 - use different webwork.action.extension (.action & 
> .secured-action) and restrict access based on extension in 
> web.xml (is it even possible to specify more then one 
> extension in webwork.properties?)
> 
> 3 - use web.xml to restrict access to the web-resources (i.e. 
> /jsp/secured/somepage.jsp). This would only protect the view, 
> but not the execution of the action.
> 
> How are you folks out there managing this situation?
> 
> Best Regards //Anders
> 
> -- 
> |===================================|
> |    Anders Engström                |
> |    [EMAIL PROTECTED]            |
> |    http://www.gnejs.net           |
> |===================================|
> |Your mind is like an umbrella.     |
> |It doesn't work unless you open it.|
> |  /Frank Zappa                     |
> |===================================|
> 
> 
> 
> 


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork

Reply via email to