On Thu, 18 Apr 2002, Dennis Doubleday wrote:
> Date: Thu, 18 Apr 2002 10:56:11 -0400
> From: Dennis Doubleday <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: 'Struts Users Mailing List' <[EMAIL PROTECTED]>
> Subject: Struts declarative security policy? (was RE: Struts example -
> redundant login checking?)
>
> Seems to me that neither the jsp nor the action is the correct place to
> enforce a security policy. It means both page designers and developers
> have to remember to do it every time.
>
I agree. A major purpose for the Struts example app is to ensure that you
have Struts installed correctly, and I wanted to minimize the amount of
container configuration you might have to do.
> There ought to be (is there?) a mechanism for declaring a security
> policy which can be referenced in struts-config.xml; i.e. access control
> is just another property of an action mapping.
>
That is what container managed security, configured with the
<security-constraint> element in your /WEB-INF/web.xml file, is all about.
Details of the supported syntax is in the Servlet Specification
<http://java.sun.com/products/servlet/download.html>.
Mechanisms for setting up users, and assigning roles to them, depend on
the container you are running, so you'll need to consult it's
documentation. For example, in a default Tomcat installation, you do this
by editing the file "conf/tomcat-users.xml".
If you choose to use the container-managed security capabilities, Struts
offers you role-based actions and role-based templating options. Your
actions can themselves be sensitive to what role(s) a logged-on user is in
by calling request.isUserInRole().
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
