Hi Experts
I have an application that supports a number of roles including staff
and manager
I have a resource (/secure/staff/staff.jsp) that is protected by a
security constraint in web.xml
<security-constraint>
...
<web-resource-collection>
...
<url-pattern>/secure/staff/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>staff</role-name>
</auth-constraint>
</security-constraint>
...
If I log in as a manager and try to directly access
../myapp/secure/staff/staff.jsp I get a 403 Forbidden
If log in as a manager and try to access the resource via an action
that forwards to the resource on SUCCESS
for example ../myapp/SomeAction.action is defined in staff.xml (which
is included in struts.xml) thusly
<action name="AddStaffAccount" class="foo.bar.baz.SomeAction"
method="someMethod">
<result name="success">/secure/staff/staff.jsp</result>
...
</action>
I get access to the protected resource even though I am logged in as
an account that does not have that role.
I'm relatively new to Struts having mostly developed in plain old J2EE
jsp/servlets
Somehow I need to be able to apply the security constraint when the
action forwards to the resource on success.
I really don't want to have to start testing roles in my actions as
this seems to negate the benefits of using declarative security.
I can't find anything about this in my book (Struts2 in Action).
Any advice much appreciated
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
