On Thu, 5 Dec 2002, Steve Vanspall wrote:
> Date: Thu, 5 Dec 2002 10:03:42 +1100 > From: Steve Vanspall <[EMAIL PROTECTED]> > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]> > To: Struts User Mailing List <[EMAIL PROTECTED]> > Subject: Restrict acces to certain pages/actions > > Hi there, > > I was wondering if struts had some mechanism to restrict acces according to > user level. > > Basically our users may be of variying levels in our system. From customer > to administrator. > > This is defined by a columns in a table in our database. > > Each user should have differing levels of access to the web app. > > For example a customer can change his/her setails, but not search/view any > other customer. > > Naturally a customer also wont have access to the administration section of > the web-app. > > I can code up a retriction system. But was wondering if struts already had > one that I could cutomise for my own needs. > The normal advice is to use the container managed security provided by your servlet container, and set things up so that your "user levels" correspond to "roles" in the security constraints. Then, you can use the "role" attribute on your <action> elements to restrict which users can actually call a particular action (i.e. your administrative ones), and/or use security constraints in the web.xml file to limit which JSP pages can be accessed based on role. How you map the container's security mechanisms to your database of users is container dependent. For example, if you're using Tomcat it's pretty easy to use JDBCRealm and configure it to talk to your user database tables when it authenticates users for you. > > Any help would be appreciated > > Regards > > Steve Vanspall > Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
