struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Siggelkow <>
Subject Re: Security and Struts (JAAS?)
Date Fri, 04 Jun 2004 13:09:18 GMT

Forgive me if I misintrepreted what you are asking, but I believe what 
you are wanting to use the Struts "role" attribute on actions for 
application-managed security.

One way is to put a check on every page as was suggested and is done in 
the Struts example.

Another way is to provide a custom RequestProcessor -- this is easier 
than it sounds ...

The "roles" attribute on <action> is processed via the 
RequestProcessor.processRoles() method. You will want to override this 
method in a Custom Request Processor -- something like:
public class CustomRequestProcessor extends RequestProcessor {
   protected boolean processRoles(HttpServletRequest request,
	                         HttpServletResponse response,
	      	                 ActionMapping mapping)
	    throws IOException, ServletException {

	// Is this action protected by role requirements?
	String roles[] = mapping.getRoleNames();
	if ((roles == null) || (roles.length < 1)) {
	  return (true);

	// Check the current user against the list of required roles
	HttpSession session = request.getSession();
	User user = (User) session.getAttribute("user");

	if (user == null) {
   	  return false;

	for (int i = 0; i < roles.length; i++) {
	  if (user.hasRole(roles[i])) {
	    return (true);

	return (false);

Ralf Bode wrote:
> Hi, i have a portal based on struts.
> and i have some public action.
> (e.g for listing news and so on)
> however.
> my problem is the protected area.
> i have two roles.
> ->customer
> ->supplier
> both login via ONE Action
> (i got their roles via their usernames...)
> okay, i saved something in session
> and did if(session...) in an action,
> before a user (a logged in) could
> do some stuff.
> it works okay, but only
> if the user enters a URL like
> host:8080/trashApp/cust/
> (for submitting a form)
> i got validation.errors ...
> because the execute() of my action is not called...
> so i figured out, that i can use ROLES-attribute
> for <action>. nice, but this is jaas, isn't it?
> now the (for me) interessting point.
> can i add a user (or roles) manually in my 
> LogonAction.execute() ?
> and when, how?
> or how to deal generally?
> with two user-roles and ONE-LogonAction.class ?
> i also watched tomcat-app, that uses struts/jaas for
> authorization, but only with ONE role.
> so is there anyone out, how has a tip/solution
> for me?
> thanks alot!
> Ralf

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message