struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: Returning a standard jsp page
Date Fri, 22 Sep 2000 18:10:54 GMT
Colin Sampaleanu wrote:

> > -----Original Message-----
> > From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
> > Sent: September 22, 2000 1:24 PM
> > To: struts-user@jakarta.apache.org
> > Subject: Re: Returning a standard jsp page
> >
> >
> > Kevin Gibbs wrote:
> >
> > > Is there a way to return a default page for every action
> > without setting up
> > > an entry for each action in action.xml?
> > >
> > > Scenario:
> > > We want to check if a user has "permission" to use an
> > action, and if not
> > > return them to a standard "Permission Denied" page.
> > >
> > > Have I explained this enough?
> > >
> >
> > With the current Struts, you can define a "global" forward
> > definition by putting
> > the <forward> element outside of any <action> element:
> >
> >     <action-mappings>
> >         <forward name="denied" path="/permission-denied.jsp">
> >         <action ...>
> >         <action ...>
> >     </action-mappings>
> >
> > Then, in your action that checks for permission, just call:
> >
> >     return (servlet.findForward("denied"));
> >
> > to look up the logical definition of the "denied" forwarding
> > element, and ask
> > the controller servlet to forward control to the corresponding page.
> >
> > If you want the controller servlet to do this check for you
> > automatically, so
> > that you don't have to check in every action, one approach
> > would be to subclass
> > ActionServlet and override the processMapping() method,
> > something like this:
> >
> >     protected ActionMapping processMapping(String path) {
> >         if (user is allowed to access this path) {
> >             return (super.processMapping(path));
> >         else
> >             return (a special mapping for my denied message)
> >         }
> >     }
> >
> > where the "special mapping" action would do the trick
> > described above and look
> > up the right ActionForward.
> >
> > This approach would centralize all the access control
> > checking in one place.
>
> Craig, this is exactly what we do in one installation. We added a
> 'validRole' property to the mapping object, and processMapping checks if the
> user is logged in, redirects to a login form if needed (which redirects back
> to the original path afterwards), and then checks if the user is in the
> right role for that mapping. The one little problem is that processMapping
> does not know about the request object, but needs it if it is to properly
> get and save data for later use. In the subclasses ActionServlet I had to
> override the whole process method so it could call the new processMapping
> method and pass in the request as well. Can you possibly add the request as
> aparameter to the base processMapping function instead, so I don't have to
> override process()?
>

That sounds like a good idea.  I will check the other methods of ActionServlet
as well.  This change will go into the 1.0 codebase since it's not backwards
compatible.

>
> The other approach that would work would be to chain to a special redirector
> action that would do the work, but there are a few advantages to the way we
> do it now, and I don't see any negatives to passing the request object to
> processMapping as well...
>

Yah, processMapping seems like the right place to do permissions checking.

>
> Colin

Craig

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat



Mime
View raw message