Re: Struts & Security

Wed, 19 Jan 2005 06:53:34 -0800

In part for the reason you specified, where the response has already been committed in tiles, I prefer to move that kind of logic back into the pre-view stages of request processing.

In Struts 1.2.x, you could extend the TilesRequestProcessor and change the implementation of "processRoles" so that it handles security the way you prefer, before the action's execute method is ever called (and actually before the form is populated as well).

http://struts.apache.org/api/org/apache/struts/action/RequestProcessor.html#processRoles(javax.servlet.http.HttpServletRequest,%20javax.servlet.http.HttpServletResponse,%20org.apache.struts.action.ActionMapping)

In Struts 1.3, the default RequestProcessor will use a chain of commands, and in this case, you would replace the AuthorizeAction command from the chain with one of your own. It is possible to implement this in Struts 1.2.x using the struts-chain library, but since that library was never released on its own, it's a small amount of work just to get the code. Hopefully sometime in the next couple of weeks we'll have a stable SVN version of Struts 1.3.x which uses a modified form of the chain processing, but I couldn't say when that would be ready for a production release.

Joe


At 9:54 PM +0900 1/19/05, Sylvain ~ wrote: 
I'm working on a simple application which requires very simple
security as given there is only 3 kind of users : anonymous, users and
admin.

For portability issues, I don't want to use Tomcat's security system.

I think using JAAS or securityFilter for a such simple application
would create more problems than it would solve, so I firstly decided
to implement a security feature with a jsp tag that I'll include in my
webpages.

The tag is similar to the one provided as an example of struts : checkLogon

It was working well with the firsts drafts of my application, but
since I use Tiles I can't perform any redirect with this tag, I just
get a blank page where the protected page should take place.

The page access is protected well, but what should I do if I want to
have a "403 page" instead of just displaying the page ?

Any Idea would be appreciated.
Sylvain.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


--
Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com "Narrow minds are weapons made for mass destruction" -The Ex

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to