I think we are mixing two issues here. Authentication deals with verifying whether a user is what he/she claims to be and authorization is the mechanism for checking whether someone has access to a particular resource.
The standard practice is to prevent unauthenticated users from accessing any resource within your app. This is typically done by an interceptor that allows a request to pass through only if it can find a user-specific token in the session. This should solve your first problem. The second question is about authorization, where a particular user is not having access to a particular resource. This can also be built into the same interceptor, but you will have to supply the authorization table somehow - usually from an LDAP or RDBMS. - Rahul From: Guy Thomas <guy.tho...@vlaamsbrabant.be> To: Struts Users Mailing List <user@struts.apache.org> Date: 09-08-2010 11:47 Subject: URL authentication I am adding authentication to a Struts2 web application by implementing an authentication interceptor. With an interceptor, as far as I understand, you can prevent non-authenticated perons from accessing specific actions. However, suppose somebody forwards a URL to a specific pdf-file to a non-authenticated "outsider". For example: http://.../persberichten/persbericht12954.pdf Which Struts2 mechanism can I use to prevent the non-authenticated "outsider" from accessing that PDF? Or, another example: http://.../persoverzicht/ophalenpub.jsp?id=27859 Is it possible to prevent the outsider from accessing that specific press article? ------------- Aan dit bericht kunnen geen rechten worden ontleend. Alle berichten naar dit professioneel e-mailadres kunnen door de werkgever gelezen worden. Ondernemingsnummer: 0253.973.219 =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
