struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Nash" <>
Subject RE: Security, authentication and authorisation with Struts
Date Fri, 24 Aug 2001 21:38:34 GMT

Another approach you may want to look at is the way we've done the Struts
integration with our own OSS framework, Expresso: We subclass "Action" in
our "Controller" class, and the "Controller" class actually does all of the
authentication/authorization work for us.

There of course more to it than that, but that's the gist - you can read
about it at - the "Expresso
Developer's Guide" explains about our Controller objects (basically
finite-state machines that contain the application's logic) and there are a
couple of write-ups in the index about how Struts and Expresso fit together.

We have optional strong encryption for Expresso's entire security layer (and
it's object/relational mapping layer), which is also discussed in the doc,
making it possible to implement a highly secure application at all levels.

Hope it's helpful!


Jcorporate Ltd.

> -----Original Message-----
> From: Jonathan M Crater []
> Sent: Friday, August 24, 2001 10:45 AM
> To:
> Subject: Re: Security, authentication and authorisation with Struts
> i would prefer not to put the authentication code in the action because
> it opens the possibility of having authentication logic in each and
> every action, which would essentially defeat one of the main purposes of
> having a controller in the first place--one point of access for security
> reasons.  it seems to me that subclassing ActionServlet and/or adding
> authentication code to it are preferable to distributing the
> authentication logic across x number of action classes.
> wrote:
> > > wouldn't it be better to put this code directly into the action
> > > servlet and rebuild struts?
> >
> > That goes against my code-reusability instincts. I strive to use
> > the default struts build and default tag libraries.
> >
> > The other possibility would be to put this in the Action class.
> > Before it checks the authorization, it could verify that it is
> > in the session. If not, put it there. I don't do this because I
> > also put an object in the application scope (for complicated
> > reasons) and it seems silly to put this code in the Action code
> > which is rather far from the application level.
> >
> > > i'd also be interested in hearing the rationale behind the
> > > desire not to subclass ActionServlet from those of you who
> > > prefer to avoid it.
> >
> > Me too. Works fine for me.
> >
> > Devon

View raw message