I have implemented struts in some projects and have found a need for doing declarative
security. Much like your role-based security, I would like to define the security in
the struts config xml file, but I am looking at taking a step further. I would
appreciate any advice or pointers. This will be my first time getting deep into the
Struts source code.
The problem I am trying to get a good solution for is redundant code checking
conditions at the beginning of each action. If the user doesn't pass all the
conditions then they are rejected from the page. The rejection would be configurable
to either show as a "page not found" or would forward/redirect them to a specified
page.
Here is what I was thinking that the struts config file might look like.
<security-checker name="roleCheck" class="com.schehl.security.IsUserInRole" />
<action path="/showMain" type="com.schehl.main.webapp.MainAction">
<security name="roleCheck">
<param>
<param-name>allow-roles</param-name>
<param-value>admin</parm-value>
</param>
<param>
<param-name>allow-users</param-name>
<param-value>admin</parm-value>
</param>
<failure path="/pages/no-access.jsp"/>
<!-- failure response="no page" / -->
</security>
<forward name="success" path="/pages/main.jsp" />
</action>
The class com.schehl.security.IsUserInRole would extend a class,
com.strutssecurity.SecurityChecker, which would be responsible for setting the
configuration parameters and would have a method boolean check(HttpRequest request)
which would default to pass back true, but would be overridden to perform the checks.
I thank you so much for any and all help, advice, or redirection you can give me.
Thanks,
Micah J. Schehl
