There is also a webwork service, which looks up actions.xml for the required roles. If you look at JIRA's actions.xml file, you will see a list of required roles for each action.
You could also do something regarding security in the ActionDispatcher, along the same lines. This would mean you could still use normal J2EE security, rather than a custom grown filter.
Cheers, Scott
Anders Engström wrote:
Howdy.
Is there a "best-practice" for using J2EE container managed security with WebWork 1.3 (<security-constrainy> etc. in web.xml)?
I've discussed some possible strategies with Joseph (Ottinger) on irc, but none of them seem natural.
1 - prefix action mappings with secured-theaction.action in views.properties and restrict access to these mappings in web.xml.
2 - use different webwork.action.extension (.action & .secured-action) and restrict access based on extension in web.xml (is it even possible to specify more then one extension in webwork.properties?)
3 - use web.xml to restrict access to the web-resources (i.e. /jsp/secured/somepage.jsp). This would only protect the view, but not the execution of the action.
How are you folks out there managing this situation?
Best Regards //Anders
--
ATLASSIAN - http://www.atlassian.com Expert J2EE Software, Services and Support ------------------------------------------------------- Need a simple, powerful way to track and manage issues? Try JIRA - http://www.atlassian.com/software/jira
------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
