Hi James, hi Craig
I am not very happy with your approach, because it intermixes presentation with
logic. What you do is: You check in the JSP page whether a user is in a specific
role. But what you really want to do is to check if a user has the right
permissions BEFORE an action is executed.
So what you really want to have is a parameter in your action mappings, like this:
<!-- Display change password page -->
<action path="/displayPasswordChange"
type="SuccessAction">
<set-property property="authtype" value="AnyUserAuthentication"/>
<forward name="success" path="/passwordChange.jsp" />
</action>
The parameter authtype specifies a class that provides a check method. If the
check method returns true, the action is executed, otherwise it forwards to a
global forward like this:
<!-- this happens, when an authentication exception is thrown -->
<forward name="authenticationexception" path="/authenticationException.jsp" />
I think this approach would meet the TODO item much better, because it says:
"Add the ability to require the current user to be in a particular security role
before they can execute a particular ACTION."
Together with a collegue I have already implemented some enhancements that
provide this feature along with some rudimentary workflow control.
I sent the code out several weeks ago as a response to a thread titled "Workflow
RFC" and I know some people were pretty interested to use it. In the meantime we
have further enhanced it.
In order to get an idea what our enhancement is doing, I attached the README
file which describes our changes.
What do you think?
--- Matthias
Craig R. McClanahan wrote:
>
> On Wed, 27 Jun 2001, BONAIUTO,JAMES (HP-NewJersey,ex1) wrote:
>
>
>>sorry, heres the example:
>><logic:present role="admin,user,manager" >
>> <bean:write key="confirm.authorized" />
>></logic>
>>
>
> I assume this means you'd write the authorized message if
> request.isUserInRole() returned true for any of the listed role
> names? Likewise, the body of <logic:notPresent> would be processed if
> isUserInRole() returned false for any of the listed role names?
>
> Makes sense to me.
>
>
>>James Bonaiuto
>>
>>
>
> Craig
>
>
>
>>-----Original Message-----
>>From: BONAIUTO,JAMES (HP-NewJersey,ex1) [mailto:[EMAIL PROTECTED]]
>>Sent: Wednesday, June 27, 2001 3:25 PM
>>To: [EMAIL PROTECTED]
>>Subject: Struts 1.1 To-Do - Enhance role checking
>>
>>
>>I would like to extend the <logic:present> and <logic:notPresent> tags to
>>accept a comma-delimited list of roles in the role attribute, like this:
>> <logic:present
>>
>>Is this an acceptable solution to the to-do list item? If so, I'd like to
>>make that change.
>>
>>James Bonaiuto
>>
>>
