Haulyn R. Jason wrote: > Hi,all > I have an Authentication problem. I use Interceptor to authenticate > actions and methods, based on different member and different role. > Everything works well.But my client can not access some resource, for > example a url, so they should not see the url. I think maybe I can > re-write <s:a> tag or using an Interceptor to check should a <s:a />tag > be rendered to the clients. I can not find any reference. > Without this way, does struts2 have it's own way to solve the problem? > > Thanks! > >
None of the struts 2 tags are aware of role. In my opinion, it's better to leave that consideration out of these tags as you don't want security checks scattered through all the tag variations. Instead customize the view using tags that render its body only if the user has the specified role(s). Either: - use tags from an existing library (Tiles tags can check role I think); or - create a custom tag that only renders the body if the principal has the specified role(s) eg. <security:guard role="admin"> <s:a href="adminpage"/> </security:guard> Otherwise every tag needs to be modified and that leads to mistakes. *More importantly* secure the server-side first and foremost. Consider customization of the view based on role only as a way to improve the user's experience as it doesn't actually help secure your application. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
