Hi, Role validation is already implemented in the RequestProcessor portion of the "Controller" via the RequestProcessor.processRoles method.
Take a look at the processRoles code (great thing about OpenSource), but in a nutshell: processRoles 1. checks the ActionMapping to see if roles are configured for authorization to the requested Action. 2. If no roles are defined in the ActionMapping, then processRoles returns true and the RequestProcessor continues as normal, processing the requested Action. 3. If roles are defined, the request.isUserinRole method is used to have the container determine what roles the authenticated user is a member of. 4. If the user is a member of an authorized role (from ActionMapping), then processRoles returns true and processing continues as normal. 5. If the user is NOT a member of an authorized role, processRoles writes an HTTP 400 error to the HttpServletResponse with a message and returns false, so Struts processing does not continue. I would imagine that to customize a Struts response for the 400 error, you could configure an <error-page> <error-code>400</error-code> <location>/struts-mapping/struts-action</location> </error-page> or you could override processRoles to do some other custom response. Jason -----Original Message----- From: rainer juenger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 9:39 AM To: Struts Users Mailing List Subject: Re: Authentication, Authorization in Struts 1.1 Hi, > Every container will provide it's own mechanisms to do that sort of thing. > But your application just protects things in terms of roles, and will run > on any such container. but does that mechanism work sort of automatically? Or do I have to implement it within the Controller? e.g.: if (mapping.getRoles() = ContainerSecurity.getUserRole()) mapping.findForward("gothere") If it works automatically, what happens when the access is not allowed for the user? > > Regards, > > Amit > > Craig thanks, Rainer -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
