struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <atitu...@verizon.net>
Subject extending AuthorizeAction command in the composable request processor chain
Date Fri, 06 Apr 2007 21:28:53 GMT
Hello Everyone, 

I've been working on a web application here and I've come up with a situation where I feel
that extending the AuthorizeAction command class would be a quality solution to a challenge
I am facing. When I complete this I would be willing to contribute this back for others to
use.  Here is some necessary background on what I am trying to do. Sorry for the length on
this:

The application I am working on has complex requirements for role-based authorization checks.
When the check fails and the user is not authorized, we do not want to just throw an exception
or report an error.  We want to direct the user to a page with instructions on how they can
become authorized. Many of the actions will have different requirements, and therefore different
checks and different pages with different instructions.  

I came up with what I thought was an elegant and cheerfully easy way to do this, but it has
not been so easy as I thought. In the struts-config.xml file I define the action, including
its roles, and I include a forward for where the instructions are located for users who fail
the authorization checks. Here is an example of one of these actions: 

<action path="/orders/create" 
        type="mypkg.CreateOrderAction"
        roles="createOrders">
        <forward name="unauthorized" 
                 path="/help/ordersHowTo.do"
                 redirect="true"/>
</action>

I then wrote a class to replace the default AuthorizeAction class which is part of struts.
It contains the complex logic which checks to see if the user has the createOrders role or
not. If they do, it would return false to allow the chain to continue. If not, it would retrieve
the ForwardConfig for "unauthorized", add it to the context, and then return  true to break
what I was hoping was the "process-action" sub-chain, and then the "process-view" chain which
executes next would retrieve the ForwardConfig from the context and then send the user there.
Unfortunately this does not work the way I was anticipating :-( 

What happens is that the chain stops completely at that point. This is where I get into trouble
and I am hoping someone can point me in the right direction. Here is what the default servlet
processing chain looks like for me: 

<chain name="servlet-standard">

  <!-- Establish exception handling filter -->
  <command className="org.apache.struts.chain.commands.ExceptionCatcher"
catalogName="struts"
exceptionCommand="servlet-exception"/>

  <lookup catalogName="struts"
          name="process-action"
          optional="false"/>

  <lookup catalogName="struts"
          name="process-view"
          optional="false"/>

</chain>

Is there a way that I can terminate the "process-action" chain early but still have it execute
the "process-view" chain after? I will greatly appreciate any help or suggestions that you
can offer. 

Best Regards, 
Aaron Titus

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message