Yes this makes excellent sense. And this is basically along the lines of what I think we may do, but I am wondering if you could just filter the action itself using Filters before it even gets to struts, and if they dont have permission to perform that action then it never even makes it to struts?
Also another question that has been burning in my mind that I havn't been able to figure out, lets suppose we run a struts action it is successful so its actionmapping forward is to test.jsp. When it forwards to test.jsp does the tomcat server parse back through the web.xml to see what servlet is supposed get that test.jsp, or does it do something else?? -David ----- Original Message ----- From: "Jamie M. Guillemette" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Thursday, July 03, 2003 1:43 PM Subject: Re: Webapp Security? > Hi David... > > Here is what we did. > > we did not use the roles framework for security ( logins ) instead we > created our own as we needed a more robust rights framework ( our had to be > context sensity as per the application.. ie..if the data is true then these > are your current right .. if not they may be different ) > > > > as all struts programers should do :) we have extended the Action using our > own SecuredActionBase object and then all of our actions extend it ... > > Each action has a right assigned to it. You must have the right to view this > page / module / section.. The right check is made when the action is first > run ( by the SecuredActionBase object ) and then control is released to the > action that extended it.. so that the actual business logic can be run. If > the security test failed we forward them back to the main screen ( same one > they get after logging in ) > > Hope i made sense if not let me know. > > JMG > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
