Can someone point me to some articles or provide some examples on how to minimize security related code (authorization) in my Action classes? I am currently using container-managed, form-based security (Tomcat) for authentication and <security-contraint> and <security-role> elements in web.xml.
The problem is that I'm not sure how best to have finer grained control of which roles can do what. For example, I have a UserAction class with methods that allow edit, add and delete of users. I want some roles to be able to add and edit but not delete. The urls might look something like this: http://www.myapp.com/do/user?Dispatch=add <http://www.myapp.com/do/user?Dispatch=add> http://www.myapp.com/do/user?Dispatch=edit&id=5 <http://www.myapp.com/do/user?Dispatch=edit&id=5> http://www.myapp.com/do/user?Dispatch=delete&id=5 <http://www.myapp.com/do/user?Dispatch=delete&id=5> But web.xml allows url-patterns based on actions: <url-pattern>/do/user/*</url-pattern> So do I have to create a separate Action class for each one so that it is a different URL? Right now I have code that checks in edit, add and delete methods inside UserAction to see if the logged in user has the correct role. Any suggestions would be appreciated. TIA, Brian Barnett **************************************************************************** This email may contain confidential material. If you were not an intended recipient, Please notify the sender and delete all copies. We may monitor email to and from our network. ****************************************************************************
