you were right, Andy,
i finally safely changed the struts2 filter mappings from "/*" to "*.action"
and today i've had great success merging redback struts2 with my existing
webapp.
i hit upon this when googling led me to another post elsewhere that was
questioning how to run struts1 alongside struts2. the answer was to map the
struts1 servlet to "*.do" and the struts2 filter to "*.action". this beat
my attempts of "/struts2/*" and even "/*.action", and finally did what i
wanted, enabling all of the security (and struts2) actions i need while not
glomming on to any other URLs i may be using.
but this answer was not easily come by: especially when all the
struts.xml/web.xml/filter information i came across during extensive
googling indicated that the "/*" filter was too important to the workings of
struts2 to disable. coupled with the trouble i had creating a valid filter,
i reached the premature conclusion that i wouldn't find an answer to the
filtering problem.
what would be nice is some explanation as to how to better configure the
filtering and namespaces in the web and struts xml files. i'm not about to
redo my existing webapps in struts2 (due to time and general lack of
knowledge), but i'm all over this integration of redback struts2-based
security with minimal mods to my existing webapps. it looks like i can
safely do it, now, but i can't explain how or why it works this way (yet),
and with the purported wide acceptance and use of struts2 i'd have hoped for
more how-to use-cases similar to my own.
the problem i hit now is this one
Andy Sykes wrote:
>
> .. the only example I can see is if you're using Struts
> interceptors/actions for webapp security - in which case hitting a
> servlet directly might mean there's no session information to validate
> the user. That's a trivial matter, though.
>
>
i'm in just this scenario now: how can i check the securitySession info from
the servlet-side of things?
i've re-implemented the IfAuthorizedTag's condition() method as a
Utils.isAuthorized() method, but i never seem to be connecting with the
authorization info. any ideas/pointers there? i'm plumb tired after
googling for days...
public static final boolean ifAuthorized(
final HttpSession session,
final String permission, final String resource) throws
ServletException {
ApplicationContext applicationContext =
WebApplicationContextUtils.getRequiredWebApplicationContext(session.getServletContext());
Boolean authzStatusBool = (Boolean)
session.getServletContext().getAttribute( "redbackCache" + permission +
(resource!=null?resource:""));
boolean authzStatus;
if ( authzStatusBool == null ) {
SecuritySession securitySession =
(SecuritySession) session.getAttribute(
SecuritySystemConstants.SECURITY_SESSION_KEY );
try{
SecuritySystem securitySystem = (SecuritySystem)
applicationContext.getBean(PlexusToSpringUtils.buildSpringId(SecuritySystem.ROLE));
if (securitySystem == null){
throw new ServletException( "unable to locate security
system" );
}
authzStatus = securitySystem.isAuthorized( securitySession,
permission, resource!=null?resource:"" );
session.getServletContext().setAttribute( "redbackCache" +
permission + (resource!=null?resource:""), Boolean.valueOf( authzStatus ) );
}catch ( AuthorizationException ae ){
throw new ServletException( "error with authorization", ae
);
}
}else{
authzStatus = authzStatusBool.booleanValue();
}
session.getServletContext().setAttribute( "ifAuthorizedTag",
Boolean.valueOf( authzStatus ) );
return authzStatus;
}
--
View this message in context:
http://www.nabble.com/File-upload-%28jupload%29--how-to-disable-struts2%27-fileupload-interceptor--tp23534189p23604543.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
