Return-Path: Delivered-To: apmail-jakarta-struts-user-archive@apache.org Received: (qmail 19881 invoked from network); 8 Jul 2003 19:28:32 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 8 Jul 2003 19:28:32 -0000 Received: (qmail 25507 invoked by uid 97); 8 Jul 2003 19:31:03 -0000 Delivered-To: qmlist-jakarta-archive-struts-user@nagoya.betaversion.org Received: (qmail 25500 invoked from network); 8 Jul 2003 19:31:02 -0000 Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12) by nagoya.betaversion.org with SMTP; 8 Jul 2003 19:31:02 -0000 Received: (qmail 15497 invoked by uid 500); 8 Jul 2003 19:27:38 -0000 Mailing-List: contact struts-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list struts-user@jakarta.apache.org Received: (qmail 15445 invoked from network); 8 Jul 2003 19:27:38 -0000 Received: from mail15.messagelabs.com (63.210.62.243) by daedalus.apache.org with SMTP; 8 Jul 2003 19:27:38 -0000 X-VirusChecked: Checked X-Env-Sender: sloan@sgi.net X-Msg-Ref: server-19.tower-15.messagelabs.com!1057692461!23088 Received: (qmail 896 invoked from network); 8 Jul 2003 19:27:41 -0000 Received: from mx2.symbol.com (167.206.235.72) by server-19.tower-15.messagelabs.com with SMTP; 8 Jul 2003 19:27:41 -0000 Received: from proxy.symbol.com (proxy.symbol.com [157.235.5.10]) by mx2.symbol.com (8.12.8/8.12.8) with ESMTP id h68JRa1c008757 for ; Tue, 8 Jul 2003 15:27:38 -0400 Received: from mephisto ([157.235.122.43]) by proxy.symbol.com (8.12.3/8.12.3) with SMTP id h68JRUIm029397 for ; Tue, 8 Jul 2003 15:27:30 -0400 (EDT) Message-ID: <014701c34586$f95c0f00$2b7aeb9d@pgh.symbol.com> From: "Sloan Seaman" To: "Struts Users Mailing List" References: <20030708184420.11160.qmail@web14002.mail.yahoo.com> Subject: Re: Best place for security checks in Struts? Date: Tue, 8 Jul 2003 15:27:30 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N You could have a class that is an Action (say, named SecureAction) and then have all of the actions in the struts file extend SecureAction and implement a method called executeSecure() (not execute()!) What then happens is your action in the Strust config (say, named ShowUser) gets called by Struts but since it extends SecureAction, Struts calls SecureAction's execute(). It then checks security and if it's good it calls executeSecure() which is the method that ShowUser overwrote. If the security doesn't pass, then SecureAction never calls executeSecure... and there ya go. You can then define the security on a per action basis by making your own ActionMappping object and doing something like: That is how I did it for a while and it worked great... -- Sloan ----- Original Message ----- From: "Sandeep Takhar" To: "Struts Users Mailing List" Sent: Tuesday, July 08, 2003 2:44 PM Subject: Re: Best place for security checks in Struts? > This is the requestProcessor. > > Sorry for that. I am busy doing work and then I > answer a question... > > The way I think of it is that there is a > requestProcessor for each struts-config. (You declare > it here). So if you have multiple modules, you could > theoretically have a different processor for each one. > > sandeep > --- David Erickson wrote: > > And which class is the procesRoles method in? > > > > ----- Original Message ----- > > From: "Sandeep Takhar" > > To: "Struts Users Mailing List" > > > > Sent: Tuesday, July 08, 2003 9:47 AM > > Subject: Re: Best place for security checks in > > Struts? > > > > > > > There must be a diagram that shows all the calls > > > before > > > it actually hits execute() method. There are > > quite a > > > few. > > > > > > If you have a base action you can override one of > > them > > > > > > processRoles seems to be a logical place... > > > > > > sandeep > > > --- David Erickson wrote: > > > > Hi I am setting up my webapp for security, had a > > big > > > > thread about it last > > > > week, we've implemented filters to handle all > > the > > > > static filters sitting > > > > around, but would also like to put some security > > > > into the struts actions > > > > themselves. I'm trying to figure out where the > > best > > > > place to implement the > > > > checks would be, if I need to extend the class > > that > > > > actually calls the > > > > actions, or if I should extend the base action > > and > > > > insert checks, or what > > > > the best thing to do would be. Somehow each of > > the > > > > actions needs to have a > > > > name assigned to it to check against as well, > > and > > > > the information will be > > > > pulled from a user bean stored in the session > > > > variable. > > > > > > > > Thanks in advance! > > > > -David > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: > > > > struts-user-unsubscribe@jakarta.apache.org > > > > For additional commands, e-mail: > > > > struts-user-help@jakarta.apache.org > > > > > > > > > > > > > __________________________________ > > > Do you Yahoo!? > > > SBC Yahoo! DSL - Now only $29.95 per month! > > > http://sbc.yahoo.com > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: > > struts-user-unsubscribe@jakarta.apache.org > > > For additional commands, e-mail: > > struts-user-help@jakarta.apache.org > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > > struts-user-unsubscribe@jakarta.apache.org > > For additional commands, e-mail: > > struts-user-help@jakarta.apache.org > > > > > __________________________________ > Do you Yahoo!? > SBC Yahoo! DSL - Now only $29.95 per month! > http://sbc.yahoo.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org > For additional commands, e-mail: struts-user-help@jakarta.apache.org > > ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs Email Security System. For more information on a proactive email security service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ --------------------------------------------------------------------- To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: struts-user-help@jakarta.apache.org