If the web container supports servlet 2.2 only, then options are to either subclass request processor or creating abstract base action class to check the roles. Of course, you can always check the roles in any action's execute method or in any JSP because you have access to ActionMapping and HttpServletRequest.
If the web container supports servlet 2.3, I just want to know if there is any better option i.e. can we create a servlet filter to check roles? In other words, can a filter access ActionMapping and HttpServletRequest of a particular request. ----------- Reddy Pingili > -----Original Message----- > From: Shilpa Vaidya [SMTP:[EMAIL PROTECTED] > Sent: Friday, June 25, 2004 6:29 AM > To: [EMAIL PROTECTED] > Subject: Role based filter with struts > > javen > perhaps this will help you.....Coz on this mail, I implemented my part > successfully!!!! > Since the day I am in great awe....for the Group and and their help!!!! > cheers > shilpa > > > -----Original Message----- > From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Siggelkow > Sent: Friday, June 04, 2004 6:39 PM > To: [EMAIL PROTECTED] > Subject: Re: Security and Struts (JAAS?) > > > Ralf, > > Forgive me if I misintrepreted what you are asking, but I believe what > you are wanting to use the Struts "role" attribute on actions for > application-managed security. > > One way is to put a check on every page as was suggested and is done in > the Struts example. > > Another way is to provide a custom RequestProcessor -- this is easier > than it sounds ... > > The "roles" attribute on <action> is processed via the > RequestProcessor.processRoles() method. You will want to override this > method in a Custom Request Processor -- something like: > <code> > public class CustomRequestProcessor extends RequestProcessor { > protected boolean processRoles(HttpServletRequest request, > HttpServletResponse response, > ActionMapping mapping) > throws IOException, ServletException { > > // Is this action protected by role requirements? > String roles[] = mapping.getRoleNames(); > if ((roles == null) || (roles.length < 1)) { > return (true); > } > > // Check the current user against the list of required roles > HttpSession session = request.getSession(); > User user = (User) session.getAttribute("user"); > > if (user == null) { > return false; > } > > for (int i = 0; i < roles.length; i++) { > if (user.hasRole(roles[i])) { > return (true); > } > } > > response.sendError(HttpServletResponse.SC_BAD_REQUEST, > getInternal().getMessage("notAuthorized",mapping.getPath())); > return (false); > } > } > </code> > > Ralf Bode wrote: > > Hi, i have a portal based on struts. > > and i have some public action. > > (e.g for listing news and so on) > > however. > > my problem is the protected area. > > i have two roles. > > ->customer > > ->supplier > > > > both login via ONE Action > > (i got their roles via their usernames...) > > okay, i saved something in session > > and did if(session...) in an action, > > before a user (a logged in) could > > do some stuff. > > > > it works okay, but only > > if the user enters a URL like > > host:8080/trashApp/cust/addStuff.do > > (for submitting a form) > > i got validation.errors ... > > because the execute() of my action is not called... > > > > so i figured out, that i can use ROLES-attribute > > for <action>. nice, but this is jaas, isn't it? > > > > now the (for me) interessting point. > > can i add a user (or roles) manually in my > > LogonAction.execute() ? > > and when, how? > > > > or how to deal generally? > > with two user-roles and ONE-LogonAction.class ? > > > > i also watched tomcat-app, that uses struts/jaas for > > authorization, but only with ONE role. > > > > so is there anyone out, how has a tip/solution > > for me? > > > > thanks alot! > > > > Ralf > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- > > > "This e-mail message may contain confidential, proprietary or legally > privileged information. It > should not be used by anyone who is not the original intended recipient. > If you have erroneously > received this message, please delete it immediately and notify the sender. > The recipient > acknowledges that ICICI Bank or its subsidiaries and associated companies, > (collectively "ICICI > Group"), are unable to exercise control or ensure or guarantee the > integrity of/over the contents of the information contained in e-mail > transmissions and further acknowledges that any views > expressed in this message are those of the individual sender and no > binding nature of the message shall be implied or assumed unless the > sender does so expressly with due authority of ICICI Group.Before opening > any attachments please check them for viruses and defects." > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
