I had quite a similar problem, but I didn't wanted to put security related code into my actions codes. I did that way:
- I created a new Digester RuleSet (declared in web.xml: "rulesets" init-param of Struts servlet) to extend Struts configuration (struts-config.xml) file with specific security tags, my actions declarations looked like this:


<action type="..." parameter="req" scope="request" ...>
   <security-checks defaultRoles="role1,role2">
      <dispatch-action name="method1" roles="role1,role3"/>
      ...
   </security-checks>
</action>

- I created a new RequestProcessor (extending org.apache.struts.action.RequestProcessor) overriding processRoles to handle the security checks.


Barnett, Brian W. wrote:

Well, I guess I'll proceed with that. Thank you.

-----Original Message-----
From: Chaikin, Yaakov Y. [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 04, 2005 1:55 PM
To: 'Struts Users Mailing List'
Subject: RE: Security question


I don't know of any other way than to programmatically check user's role
inside your Action's method. There is no way to specify attributes in the
<url-pattern> of the <security-constraint>. It just doesn't support such
pattern matching.

Yaakov.

-----Original Message-----
From: Jim Barrows [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 04, 2005 1:30 PM
To: Struts Users Mailing List
Subject: RE: Security question




-----Original Message-----
From: Barnett, Brian W. [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 04, 2005 11:04 AM
To: 'Struts Users Mailing List'
Subject: Security question


I'm using LookupDispatchAction and role-based security. I want to allow certain roles to access certain dispatches of an action. I'm not sure what the best way to handle this is.

Should I create separate Action classes? Is there a slick way
to specify
"dispatch level" security in web.xml?



The container managed security is handled by URL. Which might include parameters. If not you'll have to use one of the dispatch that requires a seperate URL to do this.

Alternatively you'll have to put the security checks inside each method.



Can someone point me to a good article(s) on using role-based
security in a
struts app that might address these issues?

Thanks,
Brian

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]







---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Reply via email to