FWIW, I wouldn't combine the two into the same interceptor since they're rather different things... plus resource access is more likely to take place in a different layer, and not be a cross-cutting concern.
Dave On Mon, Aug 9, 2010 at 3:07 AM, Rahul Mohan <rahul.mo...@tcs.com> wrote: > I think we are mixing two issues here. Authentication deals with verifying > whether a user is what he/she claims to be and authorization is the > mechanism for checking whether someone has access to a particular > resource. > > The standard practice is to prevent unauthenticated users from accessing > any resource within your app. This is typically done by an interceptor > that allows a request to pass through only if it can find a user-specific > token in the session. This should solve your first problem. > > The second question is about authorization, where a particular user is not > having access to a particular resource. This can also be built into the > same interceptor, but you will have to supply the authorization table > somehow - usually from an LDAP or RDBMS. > > - Rahul > > > > From: > Guy Thomas <guy.tho...@vlaamsbrabant.be> > To: > Struts Users Mailing List <user@struts.apache.org> > Date: > 09-08-2010 11:47 > Subject: > URL authentication > > > > I am adding authentication to a Struts2 web application by implementing an > authentication interceptor. > With an interceptor, as far as I understand, you can prevent > non-authenticated perons from accessing specific actions. > > However, suppose somebody forwards a URL to a specific pdf-file to a > non-authenticated "outsider". > For example: http://.../persberichten/persbericht12954.pdf > > Which Struts2 mechanism can I use to prevent the non-authenticated > "outsider" from accessing that PDF? > > Or, another example: > > http://.../persoverzicht/ophalenpub.jsp?id=27859 > > Is it possible to prevent the outsider from accessing that specific press > article? > > > > ------------- > Aan dit bericht kunnen geen rechten worden ontleend. Alle berichten naar > dit professioneel e-mailadres kunnen door de werkgever gelezen worden. > Ondernemingsnummer: 0253.973.219 > > > > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > > >
