We have been using Struts in our company for a while. To deal with authorization in the actions, a guy from our team is implementing the following solution:
Deploy a XML file called struts-config-security-ext.xml that maps for each ACTION a sequence of authorization tokens. Extends the Struts ActionServlet and cache the authorization list founded in struts-config-security-ext.xml in the initialization. For each action requested, the extend ActionServlet check security with the authorization token list associated with the action requested. If the user doesn?t have all the rights, the action isn?t executed. The user information is founded in the session, after the login process. Rodrigo C. Santos -----Mensagem original----- De: Theodas, Jacques [mailto:[EMAIL PROTECTED]] Enviada em: quarta-feira, 12 de fevereiro de 2003 13:41 Para: Struts Users Mailing List Assunto: RE: Any good sugestions on implementing Security This is the approach that I have used. Each of my actions declared in struts-config performs a specific function that a user can be authorised to use. I keep a database table of permissions, roles, and groups. The Perform method of each Action checks for 1 or more permissions before allowing execution. If a permission is not present, it forwards to an error page with a message. Permissions are placed in a User object in the session when a user authenticates to the app. A role can be made up of 1 to many permissions. I assign roles to groups and users to groups. That's how I determine which permissions a user has after authentication. Constructive criticism or questions are welcome. :) Jacques -----Original Message----- From: Rao, Nagraj [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 12, 2003 9:53 AM To: 'Struts Users Mailing List' Subject: RE: Any good sugestions on implementing Security Well the best approach I can think of is to keep it separate from the MVC model. You could use a FilterServlet to handle security , which then forwards the request to the Struts framework. Thus making it more "pluggable", than "embedded" -----Original Message----- From: Ntolios Christos [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 12, 2003 9:38 AM To: Struts Users Mailing List Subject: Any good sugestions on implementing Security Hi folks, I was wondering which would be the best approach on implementing security? Basically I have an application and I only want specific groups of people to have access and i want it to be Dynamic. I thought of changing the ActionMappings to have an extra attribute of the groups that satisfy the conditions has any body tried this? Thanks in advance chris --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]