I tend to think the action is the wrong place for this sort of thing. I could be wrong but that's just how it occurs to me. It seems that this should either be handled in front of your web application (using cma/filters) or by the front controller components in the struts framework (NOTE: requests that do not map to the controller servlet, like requests directly to a jsp page, will not invoke your request processing logic).
Struts also helps you along here. It provides a way for you to *declare*, along with each action mapping (in struts-config.xml), a specific set of roles that have access to the given action. Then, the RequestProcessor defines the method processRoles() that you are free to override, but by default it will invoke: request.isUserInRole(someRole) for each role declared in the action mapping. If the user is found to be included in any of the roles then processRoles() returns true, otherwise it returns false. True is also returned in the case where no roles are declared on the action mapping. Check out the struts source for more detail... Unless you use the cma/filters approach (and I haven't, so I don't know what the issues are there), there will still be some details for you to work out with respect to getting an authenticated user into the session. This could be handled in a number of different ways. One that occurs to me, off the top of my head, would be to wire a login page into the page that is forwarded when processRoles() returns false... There may be some mis-truths in what I have said here, I am currently working through some of this stuff, but in general I think the idea is sound. Certainly having declarative security is something that you should strive for... If anyone has feedback on what I've said here, I would love to hear it! Thanks & Good Luck, Troy On Tue, 2002-07-30 at 12:59, Nelson, Tracy (ETW) wrote: > I'd have each form check authorization. That way, if someone bookmarks a > page (or guesses its URL) they won't bypass your security scheme. You could > have a global exception set up in your configuration file that forwards to > an "Access denied" page whenever one of your forms threw a UserNotAuthorized > exception. (NOTE: I am just learning Struts and haven't even written my > first application using it yet. I may not know what I am talking about.) > > Cheers! > -- Tracy > > -----Original Message----- > From: Ryan Cuprak [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 30, 2002 11:53 > To: [EMAIL PROTECTED] > Subject: Security and Struts > > > > Hello, > I was hoping someone would have some advice on securing a website using > struts. I am developing a webapp that has to be secure (password protected) > and which restricts access to different parts of the site depending on the > roles a user possesses. The roles each user has are stored as XML in a > database and may be configured by an administrator. Does struts have any > built-in security capabilities that I could take advantage of? > > > Any help/pointers would be much appreciated! > > My first guess would be to put all jsp pages in WEB-INF (use only > ForwardAction to get to each page) and subclass ActionServlet with the logic > for check authentication etc. However, will this cause any problems when it > comes to a user book marking a page? > > Thanks, > -Ryan Cuprak > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
