RE: Struts 1.1 To-Do - Enhance role checking

[BONAIUTO,JAMES (HP-NewJersey,ex1)]

Actually I was talking about page level role-checking, not role-based action
executing. sorry for the misunderstanding. Here is the complete to-do list
item I intended to implement: 

Enhance Role Checking. Enhance <logic:present> to accept a comma delimited
list of roles in the role attribute, and process the nested body content if
any of the listed roles where owned by the current user. A corresponding
change to <logic:notPresent> would process the nested body content only if
none of the listed roles were owned by the present user. [STRUTS-USER, David
Winterfeldt, 01/03/2001] 

James Bonaiuto

-----Original Message-----
From: Ted Husted [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 09, 2001 6:24 AM
To: [EMAIL PROTECTED]
Subject: Re: Struts 1.1 To-Do - Enhance role checking


I've posted this to More About Struts as a ZIP file with Mathias's
source code and the original post. 

< http://www.husted.com/about/struts/resources.htm#new >

Matthias Bauer wrote:
> 
> Hi James, hi Craig
> 
> I am not very happy with your approach, because it intermixes presentation
with
> logic. What you do is: You check in the JSP page whether a user is in a
specific
> role. But what you really want to do is to check if a user has the right
> permissions BEFORE an action is executed.
> 
> So what you really want to have is a parameter in your action mappings,
like this:
> 
>   <!-- Display change password page -->
> <action path="/displayPasswordChange"
>            type="SuccessAction">
> <set-property property="authtype" value="AnyUserAuthentication"/>
> <forward name="success" path="/passwordChange.jsp" />
> </action>
> 
> The parameter authtype specifies a class that provides a check method. If
the
> check method returns true, the action is executed, otherwise it forwards
to a
> global forward like this:
> 
>   <!-- this happens, when an authentication exception is thrown -->
> <forward name="authenticationexception"
path="/authenticationException.jsp" />
> 
> I think this approach would meet the TODO item much better, because it
says:
> "Add the ability to require the current user to be in a particular
security role
> before they can execute a particular ACTION."
> 
> Together with a collegue I have already implemented some enhancements that
> provide this feature along with some rudimentary workflow control.
> 
> I sent the code out several weeks ago as a response to a thread titled
"Workflow
> RFC" and I know some people were pretty interested to use it. In the
meantime we
> have further enhanced it.
> 
> In order to get an idea what our enhancement is doing, I attached the
README
> file which describes our changes.
> 
> What do you think?
> 
> --- Matthias