I, for one, love the way these options are available. They provide a mechanism to do whatever you need, I think.
At 01:46 PM 4/20/02 -0700, you wrote: >On Thu, 18 Apr 2002, Dennis Doubleday wrote: > > > Date: Thu, 18 Apr 2002 10:56:11 -0400 > > From: Dennis Doubleday <[EMAIL PROTECTED]> > > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]> > > To: 'Struts Users Mailing List' <[EMAIL PROTECTED]> > > Subject: Struts declarative security policy? (was RE: Struts example - > > redundant login checking?) > > > > Seems to me that neither the jsp nor the action is the correct place to > > enforce a security policy. It means both page designers and developers > > have to remember to do it every time. > > > >I agree. A major purpose for the Struts example app is to ensure that you >have Struts installed correctly, and I wanted to minimize the amount of >container configuration you might have to do. > > > There ought to be (is there?) a mechanism for declaring a security > > policy which can be referenced in struts-config.xml; i.e. access control > > is just another property of an action mapping. > > > >That is what container managed security, configured with the ><security-constraint> element in your /WEB-INF/web.xml file, is all about. >Details of the supported syntax is in the Servlet Specification ><http://java.sun.com/products/servlet/download.html>. > >Mechanisms for setting up users, and assigning roles to them, depend on >the container you are running, so you'll need to consult it's >documentation. For example, in a default Tomcat installation, you do this >by editing the file "conf/tomcat-users.xml". > >If you choose to use the container-managed security capabilities, Struts >offers you role-based actions and role-based templating options. Your >actions can themselves be sensitive to what role(s) a logged-on user is in >by calling request.isUserInRole(). > >Craig > > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
