Thanks Bill, I guess, i would be customising the request processor as u mentioned. this wud be one of the easy ways...of filtering. 1.As all action ie- *.do s pass through the request processor so i will keep an authorisation check. 2. I can use hashmaps and session too. Thanks. have a great day Of Struting.....!!! Regards shilpa
-----Original Message----- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Siggelkow Sent: Friday, June 04, 2004 6:39 PM To: [EMAIL PROTECTED] Subject: Re: Security and Struts (JAAS?) Ralf, Forgive me if I misintrepreted what you are asking, but I believe what you are wanting to use the Struts "role" attribute on actions for application-managed security. One way is to put a check on every page as was suggested and is done in the Struts example. Another way is to provide a custom RequestProcessor -- this is easier than it sounds ... The "roles" attribute on <action> is processed via the RequestProcessor.processRoles() method. You will want to override this method in a Custom Request Processor -- something like: <code> public class CustomRequestProcessor extends RequestProcessor { protected boolean processRoles(HttpServletRequest request, HttpServletResponse response, ActionMapping mapping) throws IOException, ServletException { // Is this action protected by role requirements? String roles[] = mapping.getRoleNames(); if ((roles == null) || (roles.length < 1)) { return (true); } // Check the current user against the list of required roles HttpSession session = request.getSession(); User user = (User) session.getAttribute("user"); if (user == null) { return false; } for (int i = 0; i < roles.length; i++) { if (user.hasRole(roles[i])) { return (true); } } response.sendError(HttpServletResponse.SC_BAD_REQUEST, getInternal().getMessage("notAuthorized",mapping.getPath())); return (false); } } </code> Ralf Bode wrote: > Hi, i have a portal based on struts. > and i have some public action. > (e.g for listing news and so on) > however. > my problem is the protected area. > i have two roles. > ->customer > ->supplier > > both login via ONE Action > (i got their roles via their usernames...) > okay, i saved something in session > and did if(session...) in an action, > before a user (a logged in) could > do some stuff. > > it works okay, but only > if the user enters a URL like > host:8080/trashApp/cust/addStuff.do > (for submitting a form) > i got validation.errors ... > because the execute() of my action is not called... > > so i figured out, that i can use ROLES-attribute > for <action>. nice, but this is jaas, isn't it? > > now the (for me) interessting point. > can i add a user (or roles) manually in my > LogonAction.execute() ? > and when, how? > > or how to deal generally? > with two user-roles and ONE-LogonAction.class ? > > i also watched tomcat-app, that uses struts/jaas for > authorization, but only with ONE role. > > so is there anyone out, how has a tip/solution > for me? > > thanks alot! > > Ralf --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- "This e-mail message may contain confidential, proprietary or legally privileged information. It should not be used by anyone who is not the original intended recipient. If you have erroneously received this message, please delete it immediately and notify the sender. The recipient acknowledges that ICICI Bank or its subsidiaries and associated companies, (collectively "ICICI Group"), are unable to exercise control or ensure or guarantee the integrity of/over the contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of ICICI Group.Before opening any attachments please check them for viruses and defects." -- "This e-mail message may contain confidential, proprietary or legally privileged information. It should not be used by anyone who is not the original intended recipient. If you have erroneously received this message, please delete it immediately and notify the sender. The recipient acknowledges that ICICI Bank or its subsidiaries and associated companies, (collectively "ICICI Group"), are unable to exercise control or ensure or guarantee the integrity of/over the contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of ICICI Group.Before opening any attachments please check them for viruses and defects."