2008/12/11 Lyallex <[EMAIL PROTECTED]>: > Hi Experts > > I have an application that supports a number of roles including staff > and manager
Er, apologies for this ... another google search has uncovered http://struts.apache.org/2.0.14/struts2-core/apidocs/org/apache/struts2/interceptor/RolesInterceptor.html It seems to do what I wanted ... there is another problem which I will try to solve before posting again. looks sheepish :-( > > I have a resource (/secure/staff/staff.jsp) that is protected by a > security constraint in web.xml > > <security-constraint> > ... > <web-resource-collection> > ... > <url-pattern>/secure/staff/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>staff</role-name> > </auth-constraint> > </security-constraint> > > ... > > > If I log in as a manager and try to directly access > ../myapp/secure/staff/staff.jsp I get a 403 Forbidden > > If log in as a manager and try to access the resource via an action > that forwards to the resource on SUCCESS > for example ../myapp/SomeAction.action is defined in staff.xml (which > is included in struts.xml) thusly > > <action name="AddStaffAccount" class="foo.bar.baz.SomeAction" > method="someMethod"> > <result name="success">/secure/staff/staff.jsp</result> > ... > </action> > > I get access to the protected resource even though I am logged in as > an account that does not have that role. > > I'm relatively new to Struts having mostly developed in plain old J2EE > jsp/servlets > > Somehow I need to be able to apply the security constraint when the > action forwards to the resource on success. > I really don't want to have to start testing roles in my actions as > this seems to negate the benefits of using declarative security. > > I can't find anything about this in my book (Struts2 in Action). > > Any advice much appreciated > > Thanks > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
