Hi James.
You are right, I referred to the wrong requirement. Sorry for that. For the
requirement you stated, your solution is probably perfectly ok.
--- Matthias
BONAIUTO,JAMES (HP-NewJersey,ex1) wrote:
> Matthias - I believe you are referring to a different to-do list item. You
> speak in reference of an item that says "Role-Based Action Execution. Add
> the ability to require the current user to be in a particular security role
> before they can execute a particular action". I am speaking of the to-do
> list item that says, "Enhance Role Checking. Enhance <logic:present> to
> accept a comma delimited list of roles in the role attribute, and process
> the nested body content if any of the listed roles where owned by the
> current user. A corresponding change to <logic:notPresent> would process the
> nested body content only if none of the listed roles were owned by the
> present user." That being said, does my solution look acceptable?
>
> James Bonaiuto
>
> -----Original Message-----
> From: Matthias Bauer [mailto:[EMAIL PROTECTED]]
> Sent: Monday, July 09, 2001 4:38 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: Re: Struts 1.1 To-Do - Enhance role checking
>
>
> Hi James, hi Craig
>
> I am not very happy with your approach, because it intermixes presentation
> with
> logic. What you do is: You check in the JSP page whether a user is in a
> specific
> role. But what you really want to do is to check if a user has the right
> permissions BEFORE an action is executed.
>
> So what you really want to have is a parameter in your action mappings, like
> this:
>
>
> <!-- Display change password page -->
> <action path="/displayPasswordChange"
> type="SuccessAction">
> <set-property property="authtype" value="AnyUserAuthentication"/>
> <forward name="success" path="/passwordChange.jsp" />
> </action>
>
>
> The parameter authtype specifies a class that provides a check method. If
> the
> check method returns true, the action is executed, otherwise it forwards to
> a
> global forward like this:
>
>
> <!-- this happens, when an authentication exception is thrown -->
> <forward name="authenticationexception" path="/authenticationException.jsp"
> />
>
>
> I think this approach would meet the TODO item much better, because it says:
>
> "Add the ability to require the current user to be in a particular security
> role
> before they can execute a particular ACTION."
>
> Together with a collegue I have already implemented some enhancements that
> provide this feature along with some rudimentary workflow control.
>
> I sent the code out several weeks ago as a response to a thread titled
> "Workflow
> RFC" and I know some people were pretty interested to use it. In the
> meantime we
> have further enhanced it.
>
> In order to get an idea what our enhancement is doing, I attached the README
>
> file which describes our changes.
>
> What do you think?
>
>
> --- Matthias
>
>
> Craig R. McClanahan wrote:
>
>
>>On Wed, 27 Jun 2001, BONAIUTO,JAMES (HP-NewJersey,ex1) wrote:
>>
>>
>>
>>>sorry, heres the example:
>>><logic:present role="admin,user,manager" >
>>> <bean:write key="confirm.authorized" />
>>></logic>
>>>
>>I assume this means you'd write the authorized message if
>>request.isUserInRole() returned true for any of the listed role
>>names? Likewise, the body of <logic:notPresent> would be processed if
>>isUserInRole() returned false for any of the listed role names?
>>
>>Makes sense to me.
>>
>>
>>
>>>James Bonaiuto
>>>
>>>
>>>
>>Craig
>>
>>
>>
>>
>>>-----Original Message-----
>>>From: BONAIUTO,JAMES (HP-NewJersey,ex1) [mailto:[EMAIL PROTECTED]]
>>>Sent: Wednesday, June 27, 2001 3:25 PM
>>>To: [EMAIL PROTECTED]
>>>Subject: Struts 1.1 To-Do - Enhance role checking
>>>
>>>
>>>I would like to extend the <logic:present> and <logic:notPresent> tags to
>>>accept a comma-delimited list of roles in the role attribute, like this:
>>> <logic:present
>>>
>>>Is this an acceptable solution to the to-do list item? If so, I'd like to
>>>make that change.
>>>
>>>James Bonaiuto
>>>
>>>
>>>
>
