There have been several discussions on this list about how security should be loosely coupled with the ActionServlet itself (a filter on top of the application), but I am curious to know the best practicing for handling the following type of case.
Assume I have an action with a path of /EditAccount. Naturally if a user is not logged in, this path should be protected via filtering. However, /EditAccount has two purposes, one for the regular user to edit his/her own account, but also for the administrator to edit any user account via the query string ?user=username. In this case, I have to check in the action class if the user is allowed to take on the role of another user in which case the form is populated with that user's data or, if not, the form should populate with the user's own data.
Is this something that is reasonable to do in the action, or should I create another action path /EditUserAccount?user=username and filter that to only admins and then forward to the /EditAccount once the proper credientials have been established, hence relieving the action behind /EditAccount from looking at any roles?
Assuming that you are using container-managed security and roles, you can do it with one action by having the action ignore the user parameter unless the user is an administrator. You can check if the user is an administrator using
if (request.isUserInRole("whatever-you-named-the-admin-role")).
If the user is not an administrator, you can use request.getRemoteUser() to get the user id and then populate the form based on the user's own data. Here is a similar example:
if ((frm.getDeskPhone() != null) &&
(request.isUserInRole(Constants.ADMINISTRATOR))) {
rd.setDeskPhone(frm.getDeskPhone());
rd.retrieveByPhone();
} else {
rd.setUid(request.getRemoteUser());
rd.retrieveByUid();
}...use rd to populate current profile data onto frm...
In this example, the "deskPhone" parameter is what the admin uses to loookup a user. The rd object is an entity-like bean that represents a user.
If you decide to use separate Actions for admins and users -- eliminating the need for the conditional logic above -- you should make sure NOT to leave the user parameter in the queryString for the non-administrators or to add a check in the non-admin action to make sure that the user is editing his/her own profile. In this case, you should also encapsulate the common elements that both "editAccount" actions will share.
Which approach is best depends on the complexity of the application and how you expect it to evolve over time. The second approach -- different actions for admins -- is more flexible but a little more work to implement.
hth,
Phil
Dan
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
