struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject RE: Security, authentication and authorisation with Struts
Date Fri, 24 Aug 2001 13:26:36 GMT
> I wondered what approach you guys took when implementing security,
> authentication and authorisation.  I have the common scenario 
> where the application I am creating allocates roles to certain
> types of users, allows them to login, then restricts access to
> certain pages and within the pages certain content.

I use a subclass of ActionServlet that ensures that the username
(a String) and authorization info (a bean) for this user are
saved in the session scope before any Actions are called. (They
aren't combined into one object because I need the username
for other situations when I may not require auth information.)

At the top of each Action I consult the authorization bean to see
if this user has the appropriate permissions to call this Action.
If so, I just keep going. If not, I forward to a JSP that tells
them "no". If the authorization bean doesn't exist anymore it's
because the session timed out in which case I forward to another
JSP asking them to start over. The ability to choose your view in
the Action is really, really nice.

I don't have a login procedure because there is a front-end that
they need to pass through before they get to my application
and this guarentees me a username in the HTTP headers. So I just
need to pull it out of the headers in the special ActionServlet
subclass and put it in the scope. But it would be easy enough for
a login page to do the same thing.


View raw message