I hope to give my 2 cents here. What I'm going to do (therefore what I would suggest you to do) is to create a custom tag like <xSecurity:isUserserName="username" /> which I'll use in my JSP to present the user some contents instead of some others. The background is that I had to create an application specific User authentication service, based on XML configuration file and commons-digester parsing to validate user's login information with the information contained in the XML configuration file.
The process looks like the following: 1) XML user's configuration file: -> XML file, containing user's login info, like username, password and role 2) User Service -> A Business Service which, given the user's login credentials, returns true if those match the XML configuration file info, otherwise returns false; Login Action -> Uses the User Service and if user has the right credentials, CREATE a session attribute with the user details stating that user has the right credentials; Tag library -> Retrieves session attribute for user(not the container one, but the application one, from the Form declared in session scope!); if it doesn't exists(meaning that user hasn't logged in succesfully) returns something like SKIP_BODY or EVAL_BODY. I had the need for that because I didn't want to bind, let's say, a Tomcat user with my application user. Now, thinking to put this custom tag at the beginning and at the end of what is crucial to your application it could work fine, in your case: <!-- userName here can have the value of 'Administrator' --> <xSecurity:isUser userName="userName"> <html:link action="yourAction.do?isAdmin=true" /> </xSecurity:isUser> <!-- userName here can have any other value --> <xSecurity:isUser userName="userName"> <html:link action="yourAction.do" /> </xSecurity:isUser> Or something similar...I haven't implemented the model yet, so these are only ideas. Regards, Marco > -----Original Message----- > From: Dan Allen [mailto:[EMAIL PROTECTED] > Sent: Sunday, March 23, 2003 7:04 PM > To: Struts-User List > Subject: case study with security > > > There have been several discussions on this list about how > security should be loosely coupled with the ActionServlet > itself (a filter on top of the application), but I am curious > to know the best practicing for handling the following type of case. > > Assume I have an action with a path of /EditAccount. > Naturally if a user is not logged in, this path should be > protected via filtering. However, /EditAccount has two > purposes, one for the regular user to edit his/her own > account, but also for the administrator to edit any user > account via the query string ?user=username. In this case, I > have to check in the action class if the user is allowed to > take on the role of another user in which case the form is > populated with that user's data or, if not, the form should > populate with the user's own data. > > Is this something that is reasonable to do in the action, or > should I create another action path > /EditUserAccount?user=username and filter that to only admins > and then forward to the /EditAccount once the proper > credientials have been established, hence relieving the > action behind /EditAccount from looking at any roles? > > Dan > > -- > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Daniel Allen, <[EMAIL PROTECTED]> > http://www.mojavelinux.com/ > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > "If you are going to play the game of trial and error, > don't be surprised when the results are revealing. -- me" > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
