It is not necessary to create a specialty tag. If you are using container managed security and your users are set in specific roles you can use the logic:present tag with the role attribute.
I do think the right way to do this is have the view conditional based on roles. Mike --- Marco Tedone <[EMAIL PROTECTED]> wrote: > I hope to give my 2 cents here. What I'm going to do (therefore > what I would > suggest you to do) is to create a custom tag like > <xSecurity:isUserserName="username" /> which I'll use in my JSP to > present > the user some contents instead of some others. The background is > that I had > to create an application specific User authentication service, > based on XML > configuration file and commons-digester parsing to validate user's > login > information with the information contained in the XML configuration > file. > > The process looks like the following: > > 1) XML user's configuration file: -> XML file, containing user's > login info, > like username, password and role > 2) User Service -> A Business Service which, given the user's login > credentials, returns true if those match the XML configuration file > info, > otherwise returns false; > Login Action -> Uses the User Service and if user has the right > credentials, > CREATE a session attribute with the user details stating that user > has the > right credentials; > Tag library -> Retrieves session attribute for user(not the > container one, > but the application one, from the Form declared in session scope!); > if it > doesn't exists(meaning that user hasn't logged in succesfully) > returns > something like SKIP_BODY or EVAL_BODY. > > I had the need for that because I didn't want to bind, let's say, a > Tomcat > user with my application user. Now, thinking to put this custom tag > at the > beginning and at the end of what is crucial to your application it > could > work fine, in your case: > > <!-- userName here can have the value of 'Administrator' --> > <xSecurity:isUser userName="userName"> > <html:link action="yourAction.do?isAdmin=true" /> > </xSecurity:isUser> > > <!-- userName here can have any other value --> > <xSecurity:isUser userName="userName"> > <html:link action="yourAction.do" /> > </xSecurity:isUser> > > Or something similar...I haven't implemented the model yet, so > these are > only ideas. > > Regards, > > Marco > > > -----Original Message----- > > From: Dan Allen [mailto:[EMAIL PROTECTED] > > Sent: Sunday, March 23, 2003 7:04 PM > > To: Struts-User List > > Subject: case study with security > > > > > > There have been several discussions on this list about how > > security should be loosely coupled with the ActionServlet > > itself (a filter on top of the application), but I am curious > > to know the best practicing for handling the following type of > case. > > > > Assume I have an action with a path of /EditAccount. > > Naturally if a user is not logged in, this path should be > > protected via filtering. However, /EditAccount has two > > purposes, one for the regular user to edit his/her own > > account, but also for the administrator to edit any user > > account via the query string ?user=username. In this case, I > > have to check in the action class if the user is allowed to > > take on the role of another user in which case the form is > > populated with that user's data or, if not, the form should > > populate with the user's own data. > > > > Is this something that is reasonable to do in the action, or > > should I create another action path > > /EditUserAccount?user=username and filter that to only admins > > and then forward to the /EditAccount once the proper > > credientials have been established, hence relieving the > > action behind /EditAccount from looking at any roles? > > > > Dan > > > > -- > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Daniel Allen, <[EMAIL PROTECTED]> > > http://www.mojavelinux.com/ > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > "If you are going to play the game of trial and error, > > don't be surprised when the results are revealing. -- me" > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > __________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
