you may wish to look upon JAAS if you have so many diff roles and user per roles.
Anyway, struts lets you specify role atrribute (that takes comma sep values, i guess) for each action. If you can extend RequestProcess class and modify the processRoles() method so you can redirect to any page if the roles are not valid for that action. etc etc.. Struts,using decalrative roles, tried to make things easier in term sof less programming efforts and easiness to manage roles . Rest i can't see much diff. Any opinions? HTH Navjot Singh >-----Original Message----- >From: Caroline Jen [mailto:[EMAIL PROTECTED] >Sent: Tuesday, October 07, 2003 7:26 AM >To: Struts Users Mailing List >Subject: RE: Container-Managed Authentication <login-config> in web.xml >vs . Specifying Paths in the struts-config.xml > > >But, I do not want to use BASIC authentication. I >have many different roles and hundreds of people per >role. Users' name, role, etc. are stored in a >database. >--- Matt Raible <[EMAIL PROTECTED]> wrote: >> A JDBCRealm can use BASIC authentication - it >> doesn't require form-based. >> Here's an example app that might help you out: >> >> >http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample >> >> HTH, >> >> Matt >> >> -----Original Message----- >> From: Caroline Jen [mailto:[EMAIL PROTECTED] >> Sent: Monday, October 06, 2003 4:45 PM >> To: [EMAIL PROTECTED] >> Subject: Container-Managed Authentication >> <login-config> in web.xml vs. >> Specifying Paths in the struts-config.xml >> >> >> I use the Tomcat. I configured the Tomcat JDBCRealm >> so that I can use programmic security testing, such >> as >> isUserInRole(), in my program. >> >> Because Tomcat JDBCRealm is form based, I inserted >> the >> <login-config> and its sub-elements in my web.xml >> file >> (see below). As we know, the <form-login-page> and >> <form-error-page> are required. >> >> My question is that the container-managed >> authentication does not seem to be consistent with >> what we usually do in struts; e.g. we state the >> logical name and path for each .jsp page in the >> struts-config.xml file. >> >> What is the Struts convention in dealing with user >> authentication? Should we specify the paths for the >> logon page and error page in the struts.config.xml >> or >> we should use the <form-login-page> and >> <form-error-page> in the web.xml file? >> >> >====================================================== >> <security-constraint> >> <web-resource-collection> >> >> <web-resource-name>SalesInfo</web-resource-name> >> <url-pattern>/SalesInfo/*</url-pattern> >> <http-method>GET</http-method> >> <http-method>POST</http-method> >> </web-resource-collection> >> <auth-constraint> >> <role-name>manager</role-name> >> </auth-constraint> >> <user-data-constraint> >> >> <transport-guarantee>NONE</transport-guarantee> >> </user-data-constraint> >> </security-constraint> >> >> <login-config> >> <auth-method>FORM</auth-method> >> <form-login-config> >> >> ><form-login-page>/authentication/login.html</form-login-page> >> >> ><form-error-page>/authentication/error.html</form-error-page> >> </form-login-config> >> >> </login-config> >> >> <security-role> >> <role-name>manager</role-name> >> </security-role> >> >> >> >> >> __________________________________ >> Do you Yahoo!? >> The New Yahoo! Shopping - with improved product >> search >> http://shopping.yahoo.com >> >> >--------------------------------------------------------------------- >> To unsubscribe, e-mail: >> [EMAIL PROTECTED] >> For additional commands, e-mail: >> [EMAIL PROTECTED] >> >> >--------------------------------------------------------------------- >> To unsubscribe, e-mail: >> [EMAIL PROTECTED] >> For additional commands, e-mail: >> [EMAIL PROTECTED] >> > > >__________________________________ >Do you Yahoo!? >The New Yahoo! Shopping - with improved product search >http://shopping.yahoo.com > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
