Ralf,
Forgive me if I misintrepreted what you are asking, but I believe what you are wanting to use the Struts "role" attribute on actions for application-managed security.
One way is to put a check on every page as was suggested and is done in the Struts example.
Another way is to provide a custom RequestProcessor -- this is easier than it sounds ...
The "roles" attribute on <action> is processed via the RequestProcessor.processRoles() method. You will want to override this method in a Custom Request Processor -- something like:
<code>
public class CustomRequestProcessor extends RequestProcessor {
protected boolean processRoles(HttpServletRequest request,
HttpServletResponse response,
ActionMapping mapping)
throws IOException, ServletException {
// Is this action protected by role requirements? String roles[] = mapping.getRoleNames(); if ((roles == null) || (roles.length < 1)) { return (true); }
// Check the current user against the list of required roles HttpSession session = request.getSession(); User user = (User) session.getAttribute("user");
if (user == null) { return false; }
for (int i = 0; i < roles.length; i++) { if (user.hasRole(roles[i])) { return (true); } }
response.sendError(HttpServletResponse.SC_BAD_REQUEST, getInternal().getMessage("notAuthorized",mapping.getPath())); return (false); } } </code>
Ralf Bode wrote:
Hi, i have a portal based on struts. and i have some public action. (e.g for listing news and so on) however. my problem is the protected area. i have two roles. ->customer ->supplier
both login via ONE Action (i got their roles via their usernames...) okay, i saved something in session and did if(session...) in an action, before a user (a logged in) could do some stuff.
it works okay, but only if the user enters a URL like host:8080/trashApp/cust/addStuff.do (for submitting a form) i got validation.errors ... because the execute() of my action is not called...
so i figured out, that i can use ROLES-attribute for <action>. nice, but this is jaas, isn't it?
now the (for me) interessting point.
can i add a user (or roles) manually in my LogonAction.execute() ?
and when, how?
or how to deal generally? with two user-roles and ONE-LogonAction.class ?
i also watched tomcat-app, that uses struts/jaas for authorization, but only with ONE role.
so is there anyone out, how has a tip/solution for me?
thanks alot!
Ralf
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]