Hi,
Thank you for sharing the idea. I am also working on the authorization
and authentication of my application.
"The authentication interceptor checks the action method for @Secured
annotation and checks the session to see if the user has logged in. If not,
the target page and parameters are saved in the session and the user is
redirected to the login page.
There is a login action that authenticates the user (using database, files,
...) and saves any needed data in the session. It then uses a LoginResult
that redirects to the target page (the secured page that the user was
redirected from) and sets the saved parameters for that page."
My application contains lot of values in the session.So i need to populate
the session after logging in using Action class of the login page. I am
thinking of a design for allowing users to bookmark a page. After he selects
a bookmarked page, if he is not logged in he should be redirected to login
page and after logging in , he should come to the bookmarked page which is
like what you explained above. Can you please tell me how did you do this.
Regards
Viplav Kallepu
Mahdi Milani Fard <[EMAIL PROTECTED]> wrote:
Hi,
I'm developing a Struts 2 application which needs non-role-based
authorization (e.g. a user can see the messages of a group if he is a
member, etc.) Realm is not enough in such case and you need to add some
authorization code to each action if you use realm. I developed an
authentication/authorization mechanism using annotation for this problem.
I
thought it's good to share this with other struts users.
I use two interceptors:
The authentication interceptor along with @Secured annotation:
@Secured
public String getMessageList() {
...
}
The authentication interceptor checks the action method for @Secured
annotation and checks the session to see if the user has logged in. If
not,
the target page and parameters are saved in the session and the user is
redirected to the login page.
There is a login action that authenticates the user (using database,
files,
...) and saves any needed data in the session. It then uses a LoginResult
that redirects to the target page (the secured page that the user was
redirected from) and sets the saved parameters for that page.
The second interceptor is authorization interceptor along with the
@Authorizer annotation:
@Secured
@Authorizer("isMember")
public String getMessageList() {
...
}
boolean isMember() {
...
}
Here the interceptor checks the action method for @Authorizer interceptor.
If such annotation exists it uses reflection to call the indicated methods
(e.g. "isMember") on the same action object. If you add the authorization
interceptor in the correct place in the interceptor stack, at the time the
authorizer method is called, the action bean is populated using the
setters.
So the authorizer can use the filled values to check for authorization and
returns a boolean indicating if the current user (saved in session) is
authorized to do the action (with respect to the filled parameters.)
Although it looks like re-inventing the wheel, I think this mechanism is
good enough for simple authentication/authorization.
--
View this message in context:
http://www.nabble.com/Simple-authentication-authorization-with-Struts-2-using-annotation-tf4109818.html#a11687101
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Regards
Viplav Kallepu
