I've posted this to More About Struts as a ZIP file with Mathias's
source code and the original post.
< http://www.husted.com/about/struts/resources.htm#new >
Matthias Bauer wrote:
>
> Hi James, hi Craig
>
> I am not very happy with your approach, because it intermixes presentation with
> logic. What you do is: You check in the JSP page whether a user is in a specific
> role. But what you really want to do is to check if a user has the right
> permissions BEFORE an action is executed.
>
> So what you really want to have is a parameter in your action mappings, like this:
>
> <!-- Display change password page -->
> <action path="/displayPasswordChange"
> type="SuccessAction">
> <set-property property="authtype" value="AnyUserAuthentication"/>
> <forward name="success" path="/passwordChange.jsp" />
> </action>
>
> The parameter authtype specifies a class that provides a check method. If the
> check method returns true, the action is executed, otherwise it forwards to a
> global forward like this:
>
> <!-- this happens, when an authentication exception is thrown -->
> <forward name="authenticationexception" path="/authenticationException.jsp" />
>
> I think this approach would meet the TODO item much better, because it says:
> "Add the ability to require the current user to be in a particular security role
> before they can execute a particular ACTION."
>
> Together with a collegue I have already implemented some enhancements that
> provide this feature along with some rudimentary workflow control.
>
> I sent the code out several weeks ago as a response to a thread titled "Workflow
> RFC" and I know some people were pretty interested to use it. In the meantime we
> have further enhanced it.
>
> In order to get an idea what our enhancement is doing, I attached the README
> file which describes our changes.
>
> What do you think?
>
> --- Matthias
