Subject: Re: User Authentication From: "Vic C." <[EMAIL PROTECTED]> === This is web container or a JAAS question. It is hard to say based on your e-mail if you already did it or you are asking how. Typically, after the Struts application is constructed, JAAS is added. Any Servlet 2.2 or Servlet 2.3 container has container based security. What container are you using? You would specify the JDBC relm table where the user id is stored. In web xml you add a <security-constraint>, <auth-constraint> and <login-config>. It will intercept request to a protected resource, authenticate and then forward to requested page for you. 0 code! http://www.onjava.com/pub/a/onjava/2001/07/24/tomcat.html After you read up on JAAS and implement above feel free to ask again.
To extend JAAS is easy. You can use a Servlet API to find the users role and or name. (Based on that, you can enable and disable menu items in Struts-menu. If there is more info, I create a bean in session that is populated based on users role or name). The thing about row based security is that it is the same screen and fields that display different information. So the thing to do is have your action send the users role or name to the model. The model would then, in addition to your regular where, append a where user_id = ?, thus only hits would return. basebeans.com/book.jsp chapter 16 shows how to do row based security. This is web container or a JAAS question. Did I say that already? Everyone ends up following the very old example of the Struts sample application and writing the login screen when the web container does it for you. CRUFT. Hth, Vic David Bolsover wrote: > Hi all > > I have a Struts based app to which I need to add some moderately complex > user access privileges. > > At present, users log-in using form based authentication and I then place a > User object in session scope which is checked when a user requests a > particular set of data to find out if the request is legal. Currently, the > checks are just on product codes but this needs to be extended - see below. > > All data is held in a centura database > > Each user can access an individual customer account; each customer has > several product codes, each product code may have several products - I need > to be able to control the access each user has to the system in a reasonably > fine-grained manner. > > Also, there are users who can access supplier accounts in similar fashion > and there may be a future requirement for file access privilileges to be > defined. > > Does anyone have any experience of systems that feature this type of access > control? > > If so, any hints and tips would be welcome. > > regards > > David Bolsover > [EMAIL PROTECTED] > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
