This is the approach that I have used. Each of my actions declared in struts-config performs a specific function that a user can be authorised to use.
I keep a database table of permissions, roles, and groups. The Perform method of each Action checks for 1 or more permissions before allowing execution. If a permission is not present, it forwards to an error page with a message. Permissions are placed in a User object in the session when a user authenticates to the app. A role can be made up of 1 to many permissions. I assign roles to groups and users to groups. That's how I determine which permissions a user has after authentication. Constructive criticism or questions are welcome. :) Jacques -----Original Message----- From: Rao, Nagraj [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 12, 2003 9:53 AM To: 'Struts Users Mailing List' Subject: RE: Any good sugestions on implementing Security Well the best approach I can think of is to keep it separate from the MVC model. You could use a FilterServlet to handle security , which then forwards the request to the Struts framework. Thus making it more "pluggable", than "embedded" -----Original Message----- From: Ntolios Christos [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 12, 2003 9:38 AM To: Struts Users Mailing List Subject: Any good sugestions on implementing Security Hi folks, I was wondering which would be the best approach on implementing security? Basically I have an application and I only want specific groups of people to have access and i want it to be Dynamic. I thought of changing the ActionMappings to have an extra attribute of the groups that satisfy the conditions has any body tried this? Thanks in advance chris --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
