struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Husted <hus...@apache.org>
Subject Re: Security, authentication and authorisation with Struts
Date Fri, 24 Aug 2001 15:19:29 GMT
I would agree that subclassing the ActionServlet is usually preferable,
but would point out that the strategy is to provide a BASE action with
the authentication code, that others would subclass. So the
authentication code would only exist once, in the base class.

-- Ted Husted, Husted dot Com, Fairport NY USA.
-- Custom Software ~ Technical Services.
-- Tel +1 716 737-3463
-- http://www.husted.com/about/struts/


Jonathan M Crater wrote:
> 
> i would prefer not to put the authentication code in the action because
> it opens the possibility of having authentication logic in each and
> every action, which would essentially defeat one of the main purposes of
> having a controller in the first place--one point of access for security
> reasons.  it seems to me that subclassing ActionServlet and/or adding
> authentication code to it are preferable to distributing the
> authentication logic across x number of action classes.
> 
> devon.bowen@ubs.com wrote:
> 
> > > wouldn't it be better to put this code directly into the action
> > > servlet and rebuild struts?
> >
> > That goes against my code-reusability instincts. I strive to use
> > the default struts build and default tag libraries.
> >
> > The other possibility would be to put this in the Action class.
> > Before it checks the authorization, it could verify that it is
> > in the session. If not, put it there. I don't do this because I
> > also put an object in the application scope (for complicated
> > reasons) and it seems silly to put this code in the Action code
> > which is rather far from the application level.
> >
> > > i'd also be interested in hearing the rationale behind the
> > > desire not to subclass ActionServlet from those of you who
> > > prefer to avoid it.
> >
> > Me too. Works fine for me.
> >
> > Devon

Mime
View raw message