struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laurie Harper <>
Subject Re: extending AuthorizeAction command in the composable request processor chain
Date Sat, 07 Apr 2007 19:02:22 GMT
This is a question for the users list. The dev list is for the 
discussion of developing Struts itself. Please re-post to the users list.

L. wrote:
> Hello Everyone, 
> I've been working on a web application here and I've come up with a situation where I
feel that extending the AuthorizeAction command class would be a quality solution to a challenge
I am facing. When I complete this I would be willing to contribute this back for others to
use.  Here is some necessary background on what I am trying to do. Sorry for the length on
> The application I am working on has complex requirements for role-based authorization
checks. When the check fails and the user is not authorized, we do not want to just throw
an exception or report an error.  We want to direct the user to a page with instructions on
how they can become authorized. Many of the actions will have different requirements, and
therefore different checks and different pages with different instructions.  
> I came up with what I thought was an elegant and cheerfully easy way to do this, but
it has not been so easy as I thought. In the struts-config.xml file I define the action, including
its roles, and I include a forward for where the instructions are located for users who fail
the authorization checks. Here is an example of one of these actions: 
> <action path="/orders/create" 
>         type="mypkg.CreateOrderAction"
>         roles="createOrders">
>         <forward name="unauthorized" 
>                  path="/help/"
>                  redirect="true"/>
> </action>
> I then wrote a class to replace the default AuthorizeAction class which is part of struts.
It contains the complex logic which checks to see if the user has the createOrders role or
not. If they do, it would return false to allow the chain to continue. If not, it would retrieve
the ForwardConfig for "unauthorized", add it to the context, and then return  true to break
what I was hoping was the "process-action" sub-chain, and then the "process-view" chain which
executes next would retrieve the ForwardConfig from the context and then send the user there.
Unfortunately this does not work the way I was anticipating :-( 
> What happens is that the chain stops completely at that point. This is where I get into
trouble and I am hoping someone can point me in the right direction. Here is what the default
servlet processing chain looks like for me: 
> <chain name="servlet-standard">
>   <!-- Establish exception handling filter -->
>   <command className="org.apache.struts.chain.commands.ExceptionCatcher"
> catalogName="struts"
> exceptionCommand="servlet-exception"/>
>   <lookup catalogName="struts"
>           name="process-action"
>           optional="false"/>
>   <lookup catalogName="struts"
>           name="process-view"
>           optional="false"/>
> </chain>
> Is there a way that I can terminate the "process-action" chain early but still have it
execute the "process-view" chain after? I will greatly appreciate any help or suggestions
that you can offer. 
> Best Regards, 
> Aaron Titus

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message