Hi Wendy - thank you for your time :-) I have some more questions:
1. Does the getRoles() method in the BenWebUser Class get the roles for a specific menu from the menu-config? 2. How do you secure your web app if not by container security? only by hiding menus? What if someone knows the url to the hidden menu? 3. Is there a easy way to adjust struts-menu so it will take the menu-to-roles data from a my database instead of from menu-config? Thanks a lot Rivka -----Original Message----- From: Wendy Smoak [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 9:30 PM To: user@struts.apache.org; Rivka Shisman Subject: Re: Enabling links according to user's authorization On 1/17/06, Rivka Shisman <[EMAIL PROTECTED]> wrote: Wendy wrote: > > I use Struts Menu to conditionally display menu items based on user > > roles. Rather than configure the container to handle it, I have a > > Filter that wraps the request, and the request wrapper overrides the > > isUserInRole method. In that method, I check a session-scoped 'user' > > object to see if the user has that role. > > > > The code is here, and I don't think it's Tomcat-specific: > > http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatRequestWrapper > 1. By saying "Rather than configure the container to handle it" - do you > mean that you don't have J2EE roles configured? Correct. There is no 'container managed authentication' configuration. > 2. If I understand correctly - you don't work the menu-config.xml way? I _do_ use menu-config.xml. That's how Struts Menu knows which role to ask about. I added a bit of that config to the Wiki page if you want to look again. > 3. I'm not sure I understand the BenWebUser Class, can you please attach > it's code? It's just a bean with get/set methods. The 'getAuthorizedMnemonics' method could be renamed 'getRoles'. It returns a List of "roles", and you can see in the overridden request.isUserInRole method that all I do is ask whether the list contains the role in question. -- Wendy --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
