That is probably a good idea, I actually extended the existing one to
find required roles from an Annotation rather than the struts.xml
because I am trying to use "Zero Config." I also found a problem with
my solution, which is that the Servlet Filter does not seem to get
fired before JSPs are rendered, and as such, my JAAS wrapper for the
ServletRequest is not used.
Here is my extended RolesInterceptor:
public class AnnotatedRolesInterceptor extends RolesInterceptor {
/**
* If the invoked action has a RequiredRoles annotations, this
* interceptor will verify that the jaas user has those listed rules.
*/
@Override
public String intercept(ActionInvocation invocation) throws Exception {
//Check the required roles
RequiredRoles requiredRoles =
invocation.getAction().getClass().getAnnotation(RequiredRoles.class);
if (requiredRoles != null) {
setAllowedRoles(requiredRoles.value());
return super.intercept(invocation);
}
else {
return invocation.invoke();
}
}
@Override
protected String handleRejection(ActionInvocation invocation,
HttpServletResponse response) throws Exception {
return Action.LOGIN;
}
If you want to bypass the JAAS call, you can override
isAllowed(HttpServletRequest,Object) and provide your own check there.
On a tangent, in order to get this Interceptor to apply to all of my
actions (the presence of my custom @RequiredRoles Annotation
determines whether it will actually restrict access) I had to add the
following to struts.xml:
<struts>
<package name="default" extends="struts-default">
<interceptors>
<interceptor name="annotatedRolesInterceptor"
class="palaistra.hermes.web.interceptors.AnnotatedRolesInterceptor"/>
<interceptor-stack name="roleCheckingDefaultStack">
<interceptor-ref name="annotatedRolesInterceptor"/>
<interceptor-ref name="defaultStack"/>
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="roleCheckingDefaultStack"/>
</package>
</struts>
and then use the @ParentPackage("default") Annotation in all of my Actions.
On 5/4/07, Flemming Seerup <[EMAIL PROTECTED]> wrote:
Thanks, that what was I was looking for. I will take a look at your
example,
but I'm also considering just writing my own RolesInterceptor ...
F
Quoting Josh Vickery <[EMAIL PROTECTED]>:
> Flemming, if you are not using JAAS, and don't want to interact with
> it, you can fake it by wrapping the HttpServletRequest in a servlet
> filter. This is the method used by SecurityFilter
> (http://securityfilter.sourceforge.net/) and is very easy to
> implement.
>
> Here are some code snippets:
> A filter, applied to /* in web.xml
>
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain chain) throws IOException, ServletException {
> UserSession userSession = (UserSession)
> session.getAttribute(Constants.USER_SESSION);
> request = new JaasRequestWrapper((HttpServletRequest)request,
userSession);
> chain.doFilter(request, response);
> }
>
> and then JaasRequestionWrapper.java:
>
> public class JaasRequestWrapper extends HttpServletRequestWrapper {
>
> private UserSession userSession;
> public JaasRequestWrapper(HttpServletRequest request, UserSession
> userSession)
> {
> super(request);
> this.userSession = userSession;
> }
>
> @Override
> public boolean isUserInRole(String role) {
> return userSession.hasRole(role);
> }
> }
>
> Where UserSession, is something that you store in the session at user
> login containing a list of roles to check against.
>
>
> On 5/2/07, Flemming Seerup <[EMAIL PROTECTED]> wrote:
>> Am I missing something? I have a working version of an
>> AuthInterceptor, but
>> still no examples on how to control isUserInRole().
>>
>> On manning.com I found a lightbody_src.zip from WW in action, but it doesn't
>> handle roles.
>> Could anybody tell me the location of Mark Mernards blog?
>>
>> /Flemming
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
