One more thing, I comment out the code inside the isAuthorized() method in SecureAction.java. Recompiled and logging in as turbin_root still works. I suspect the authentication is done somewhere else. Of course this is just a desperate wild guess.
Help is much appreciated. michael > Sorry, I am making things too complicated. > >> Lets assume that your site's URL is http://myapp.com/app/servlet/app. >> >> Your implementation of the login action is in the package >> modules.actions.Login. You Login action extends SecureAction which >> extends VelocitySecureAction. I will also assume that your >> SecureAction class provides an implementation of the isAuthorized() >> method and nothing else. > > Yes, I have arranged my files so that they do follow this assumption. > > Login.java extends SecureAction.java extends VelocitySecureAction.java > SecureAction.java implements isAuthorized() method as well as > doPerform() <---- compiler complains otherwise. > >> Now, Turbine will check the name of the action (login) to see if it >> matches actions.login in TR.props. If it does, it clears out >> everything in the session and then executes the action. It actually >> calls >> Login.perform(data). This method exists in the VelocitySecureAction >> class. If the result of isAuthorized() is true, it will call the >> doPerform(data,context) method of you Login action. > > Previously, I do not have a isAuthorized() method in my Login class. But > the doPerform() method has a couple lines of code to redirect user > depending on their role. It worked as long as the user is login having > the role as turbine_root. > > But I do not want this turbine_root role to be assigned to every user. > And this is where I got stuck. > >> It is very important that you override isAuthorized in your Login >> class to always return true. You could also avoid having to do this >> by simply inheriting from VelocityAction instead. > > I tried modify the code in SecureAction class: > > protected boolean isAuthorized( RunData data ) throws Exception { > boolean isAuthorized = false; > AccessControlList acl = data.getACL(); > if (acl == null || ! acl.hasRole("viewedit")) > //if (acl == null || ! acl.hasRole("turbine_root")) > { isAuthorized = false; } > else if(acl.hasRole("viewedit")) > //else if(acl.hasRole("turbine_root")) > { isAuthorized = true; } > return isAuthorized; > } > > > But it does not work. Then I override the isAuthorized > else if(acl.hasRole("viewedit")) > //else if(acl.hasRole("turbine_root")) > { isAuthorized = true; } > return isAuthorized; > } > > > But it does not work. Then I override the isAuthorized() method in my > Login class, it still did not work. What puzzles me was, once I assign > the role turbine_root to the user, I can logon and the followling code > in doPerform() method would work and channel the user to different > directories depending on their role assigned. Why did it not work in the > begining? Does it have anything to do with the AccessControlList not > being populated in the start? > > thanks > michael > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> For additional > commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
