Thanx Max It was very educational -----Original Message----- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2003 5:26 PM To: Struts Users Mailing List Subject: Re: Actions based on Role
My first suggestion would be to look into container managed security, and after that look my filter-based clone of container-managed security, http://securityfilter.sourceforge.org/, that works the same (you don't have to change your app) but has a few little differences to get around things I didn't like with container-managed security. By using one of these solutions, you could use the Action role stuff in struts-config.xml. If you want to adapt your current security system and be able to use the struts-config.xml declarative roles stuff, you need to morph it into a filter so that you can wrap the HttpRequests that come in to implement request.isUserInRole(). request.getUserPrincipal() and request.getRemoteUser() are the two other most important methods to implement in your RequestWrapper class to allow Struts and other software to make use of the security info. Another alternative is to modify the Struts classes to make calls to your custom security infrastructure. Otherwise, you pretty much have to do all of your own programmatic security against whatever proprietary API your security system has. Also, the standard relationship between users and roles is many-to-many. A user can have many roles, and a role can be had by many users. If you want to harness the full power of this relationship, you'll need to drop the role column from your user table, add a role table, and add a user_role mapping table. Fortunately, it becomes pretty easy to use container-managed security with a schema like that, as you can use stuff like Tomcat's JDBCRealm. -Max ----- Original Message ----- From: "Jagadeesan,Sivakumar" <[EMAIL PROTECTED]> To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> Sent: Thursday, March 27, 2003 2:50 PM Subject: RE: Actions based on Role > I guess I have to do that way > So I have manually chk every time whether that user is authorized to access > this Action, rather then having it in struts-config.xml which is more > configurable > > > > -----Original Message----- > From: Edgar Dollin [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 27, 2003 4:55 PM > To: 'Struts Users Mailing List' > Subject: RE: Actions based on Role > > > If you use a filter, to filter actions based on role, the action wouldn't > have to know about security. If your authentication sticks the user > information into the session, the action could make decisions based on the > user information. > > Edgar > > > -----Original Message----- > > From: Jagadeesan,Sivakumar > > [mailto:[EMAIL PROTECTED] > > Sent: Thursday, March 27, 2003 3:50 PM > > To: 'Struts Users Mailing List' > > Subject: Actions based on Role > > > > > > I have web application where users could of three types (Roles) > > > > 1) Basic User > > 2) Silver User > > 3) Gold User > > > > According to Type / Role of user some actions could be > > performed or not performed. > > > > I could set in my stuts-config.xml, the role based access in > > Action Element > > > > I am having my own authentication System that uses the > > database . The User table has the userName and also the Role. > > > > I am not sure how could I create a Role that the Action is > > expecting , if I am using my own authentication > > > > Thanx > > --Siva Jagadeesan > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
