On Tue, 11 Dec 2001, Phase Communcations wrote:
> Date: Tue, 11 Dec 2001 16:43:47 -0700
> From: Phase Communcations <[EMAIL PROTECTED]>
> Reply-To: Struts Developers List <[EMAIL PROTECTED]>
> To: Struts Developers List <[EMAIL PROTECTED]>
> Subject: RE: role based actions
>
> One last thing. When a security check happens and the user is forwarded to
> the login. Their desired destination is stored and once their security is
> verified they are forwarded on to that page.
>
IMHO, doing an "application managed login" mechanism is somewhat different
than "role based actions". In the latter case, we're simply using the
existing container managed security mechanism (i.e. form-based login, or
BASIC, or whatever you choose) to authenticate the user, and then calling
isUserInRole() to see if they can get to the requested action. In this
environment, the only interesting decision is "what happens if the user
does not have the required role". (I vote for throwing a 403 "Forbidden"
error, which is exactly what the container would do if you used a security
constraint -- and the app can override the look and feel by declaring an
error page.)
We can also look at building a scheme for an app to manage it's own login,
but that is one of the things that is *much* easier to support using the
Filter API from Servlet 2.3.
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
