I'm also very strongly in favor of this idea! Moreover, imo, Struts should include
some simple pluggable security (Tomcat realm based perhaps) adapter with default
implementation that wraps Tomcat's realms. I'm sure community will donate
implementations specific to other containers (WebSphere, WebLogic, etc.). This way
Struts app becomes more independent and portable between various containers so one
can develop and test his app including security stuff, for example, on Tomcat on his
personal box and then deploy the app with minimal hassle to shared test/production
servers that run, in our case, WebSphere & ServletExec. I'm sure a big chunk of
current Tomcat realm api's & implementation can be used as a base.
"Craig R. McClanahan" wrote:
> [EMAIL PROTECTED] wrote:
>
> > Hello!
> >
> > Has anyone considered whether it would be valuable to have roles defined
> > against the action definitions within struts-config.xml, and have the
> > controller servlet automatically validate whether the user is in the
> > necessary roles to execute the action prior to calling it? Has this been
> > proposed for 1.1?
> >
>
> I assume you're talking about the roles associated with security constraints in
> the web.xml file, right? If so, that's a pretty interesting idea. I will add
> it to the 1.1 TODO list.
>
> In the mean time, you can define security constraints in web.xml that protect
> each action individually (for example, a URL pattern of "/saveCustomer.do"), but
> it's pretty tedious.
>
> >
> > Regards,
> > James W.
> >
>
> Craig
