Re: Authentication / RolesInterceptor

Sat, 10 Feb 2007 14:44:51 -0800 


Piero Sartini wrote:

Am Donnerstag, 8. Februar 2007 schrieb Ian Roughley:

You probably don't need to send it to an action, you just need to render
the HTML form for authentication.  So, login.jsp would suffice.  As far
as s2 is concerned, authentication is completely external.  The role
interceptor just uses the HttpServletRequest to obtain the roles that
the current user is logged in under.



If security is completely external, what is the Interceptor for? 

Authentication is external - not security.  The interceptor is there to 
provide the users role (from authenticating) to the action, so the 
action can use it to provide the security constraints that you want in 
your application. 

Defining a 
SecurityConstraint in the web.xml file will prevent unauthorized access as 
well, wouldnt it? 

Yes.

(It seems to be the wrong way to me - I define the actions 
in struts.xml, I do not see the point to include them in web.xml as well for 
security)
  

It's all about options.  I use the web.xml to secure directories, then 
roles in the action / pages to provide finer level of control.

But the interceptor just responds a 403 if the user is not authoriuzed - is 
there no possibility to present another action in this case (the login 
form?).


Or do I misunderstand this whole thing completely?

----- code -----
    <security-constraint>
        <display-name>Constraint1</display-name>
        <web-resource-collection>
            <web-resource-name>profile</web-resource-name>
            <description>change user profile</description>
            <url-pattern>/EditProfile_input.action</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>portalUser</role-name>
        </auth-constraint>
        </security-constraint>
---- code -----

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


  














    











					Reply via email to