Eddie & Vicc, Thanks for your help on this. It got me started in the right direction, and I found a solution that I thought I'd share in case it's useful to someone else.
In the end, I created a custom subclass of RequestProcess that overrides the processRoles() and always returns true. It's less than 10 lines of code in the end. This allows requests to reach my Action base class, which reads the action roles attributes and applies its own security logic. Because the app was throwing me to the Tomcat authentication error pages, I thought that Tomcat container-managed security (CMS) was intercepting the messages. This was false, and started me down the blind alley of fiddling with constraints in web.xml. But when I chased all the references to ActionMapping.getRoles(), I found that Struts itself was invoking tomcat's CMS by calling HttpServletRequest.isUserInRole() in the RequestProcessor class. Subclassing RequestProcessor solves this problem. I expect it would also work to filter requests and override isUserInRole(). This is nice because it doesn't involve customizing struts itself, but worries me because it prevents me from actually using CMS if I want to later on. Also, the filter class, the custom request subclass, and the web.xml configs leave more room for error. Thanks for the help! Alexis Like following a trail of --- Eddie Bush <[EMAIL PROTECTED]> wrote: > Alexis Gallagher wrote: > > >Hello, > > > >I've gotten a lot of help just lurking on this > list, > >so I'm hoping my first question isn't too off base. > > > >I am trying to use the action "roles" parameter to > >define fine-grained security constraints. However, > >these constraints will apply to security roles > which > >are defined programmatically within my webapp and > >which are net registered with the server's security > >realm. > > > >So I'm wondering, is there a way to stop the server > >from checking the "roles" parameter for its own > >purposes, so that I can hijack it for my own? > > > >If I seem not just confused but totally off-base, > I'll > >stick the gory details of why I'm trying to do this > in > >a P.S.. > > > You could write a filter and provide wrappers for > the request that would > let you override the important functions. > > >Thanks, > >Alexis Gallagher > > > >p.s. > >Why would I want to do disable the server's check > of > >security roles? Well, in my system every user can > >belong to multiple projects, but he can only browse > >one project at a time. A user has both a global > >security role (admin vs. non-admin) but also a > >per-project security role (manager vs. member, > etc.). > > > >My understanding is that container-managed security > is > >not intended to support a situation where a user's > >role might changing depending on their position > >session state (that is, what project they're > >browsing). Also, container-managed security doesn't > >have a vendor-neutral realm implementation. > > > >Nevertheless, it would be very convenient to > >declaritively configure all these security > >constraints, and I can just put the security logic > my > >action base class. > > > Well, I think the thing to do would be to maybe come > up with some > additional roles for each project. No, wait, you'd > have to be modifying > your server config for every project. Nevermind > that ... > > It smells like you really do need a custom solution. > I think probably > writing a filter to wrap the request so you can > override isUserInRole > would probably be the way to go. You could then > implement that method > (and any others you needed to) so that it would > return the appropriate > result - after having consulted your database. > Ideally, what would > happen is you would load all roles associated with > the user in something > (Map perhaps) and then just consult that > (map.containsKey(roleName)). > That way you're offsetting hitting the database for > each request. Of > course, if roles were added after a person logged > in, they wouldn't have > them loaded. The user would have to relog to effect > the change. > > See version 2.3 of the servlet specification and the > J2EE tutorial for > information about writing a filter that would do > what you need to do. > You're looking at using a Filter and ... what is it > called ... > HttpServletRequestWrapper? That's close, I believe. > > I feel like maybe there's a better solution to this > - but it doesn't > occur to me what it might be. Hopefully someone > else has further insight. > > -- > Eddie Bush > > > > > -- > To unsubscribe, e-mail: > <mailto:struts-user-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: > <mailto:struts-user-help@;jakarta.apache.org> > __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com -- To unsubscribe, e-mail: <mailto:struts-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:struts-user-help@;jakarta.apache.org>
