On Tue, 27 May 2003, Fisher Trent wrote:
> Date: Tue, 27 May 2003 17:42:38 -0700 (PDT)
> From: Fisher Trent <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: programmatic security w/o JAAS?
>
> This seems like a possiblity to me, but let me
> elaborate.
>
> 95% of the security for my application will be
> utilizing the concept of Role properties on
> ActionMapping objects to limit access to the protected
> resource. (this would be declaritive if I'm not
> mistaken).
>
I would call that declarative ... but I'd say the same thing about
<security-constraint> elements in web.xml ...
> The other 5% of my security involves showing/hiding
> links on certain pages based on the user's role (ex:
> only show the link to the Admin menu if the user has
> the Administrator role). That task I would assume
> would be accomplished using the code:
>
> <logic:present role="Admin">
> ... show links only a Admin should see ...
> </logic:present>
>
> My question is, if I want to perform minimal
> programmatic checks such as above, what is the
> generally accepted token that the logic should check
> in session? If the login ActionForm is placed into
> session as the "User Object", then that wouldn't
> necessarily contain a "Role" attribute and that would
> have to be somewhere else?
>
If you are using container managed security, there is no such thing as a
standard "user object". The only thing you've got to work with are the
calls request.getRemoteUser(), request.getUserPrincipal(), and
request.isUserInRole(). The last one is what the <logic:present
role="..."/> tag uses.
Even if there was such an object, of course, you'd still have to check a
particular property on it, so it'd be just as much code in your pages to
check some property of some specific user object. Is something like this:
<logic:equals name="userObject" property="role" value="Admin">
... show links only a Admin should see ...
</logic:equals>
really any less code than the <logic:present> test you showed above?
> Thanks in advance
>
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
