if your security is simple - fixed roles to access certain actions...
i created a custom role interceptor added it to the interceptor stack and then
just added struts.xml definitions with
<interceptor-ref name="stackWithRoles">
<param name="customRole.allowedRoles">member</param>
</interceptor-ref>
the allowedRoles value can be comma separated to allow multiple roles, then
struts will check whether the user has this role (by calling interceptor) and
if not will not allow them to access the action.
only coding is creating the interceptor.
ps. my user is kept in the session as are their roles once logged in.
adam
----------------------------------------
> From: cosm...@gmail.com
> Date: Fri, 16 Apr 2010 11:28:05 +0800
> Subject: Re: Basic security problem
> To: user@struts.apache.org; cimba...@cimballi.net
>
> Thank you for answers.
>
> Your method looks good Cimbali. But do you think it would be really better
> than an object which describe the role of the user stored in the session map
> ?
>
> At firstline of each action in java, i would have:
> 'if (role.hasRighMethodName == true) ..
>
> Do you think your method is more convinient and more secured, or it's
> basicly the same ?
>
> On Fri, Apr 16, 2010 at 11:15 AM, Cimballi wrote:
>
>> Hi Stephane,
>>
>> As Kun says, you have to test the role in your action.
>> One way to do it it to have a super action with a permission property,
>> and you set the permission property with a static param in your struts
>> xml files using the StaticParameters interceptor.
>> Then, you add a hasPermission method to your super class, and you
>> write a PermissionInterceptor which calls the hasPermission method.
>> Finally you add the PermissionInterceptor interceptor to your stack on
>> all protected actions.
>>
>> Cimballi
>>
>>
>> On Thu, Apr 15, 2010 at 9:39 PM, Kun Niu wrote:
>>> You should check the authentication all by yourself in your action.
>>>
>>> Stephane Cosmeur wrote:
>>>>
>>>> Hello struts users
>>>>
>>>> I have a really basic security problem and i would like to know what is
>>>> the
>>>> best practice to resolve it.
>>>>
>>>> I have an application with an authentification system and diffrent
>> rights
>>>> for diffrent type of user. To add or remove a link/fonctionnality, we
>>>> simply
>>>> declarate the element in a balise. But the problem is the
>>>> actions are still available by typing URL in bar address.
>>>>
>>>> How can i fix it ?
>>>>
>>>> Regards,
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>>> For additional commands, e-mail: user-h...@struts.apache.org
>>>
>>>
>>
>>
>>
>> --
>> Cimballi
>> JAVA J2EE Freelance
>> http://cimballi.elance.com/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>> For additional commands, e-mail: user-h...@struts.apache.org
>>
>>
>
>
> --
> Stéphane Cosmeur
> 06 33 54 36 04
_________________________________________________________________
http://clk.atdmt.com/UKM/go/197222280/direct/01/
Do you have a story that started on Hotmail? Tell us now
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
