struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vinicius Carvalho" <>
Subject Securing an Action
Date Wed, 28 Jun 2006 13:39:27 GMT
Hello there! I know this kind of question has been very very
discussed. But I've been away from struts for a while.

I need to create two types of actions, one that anyone can access and
a secure one, based solely on user's roles.

Here's what I've come in mind:

public abstract class BaseAction extends ActionSupport {
	protected boolean isUserInRole(HttpServletRequest request){
		return true;
	public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) throws
Exception {
		ActionForward forward = null;
			forward = doExecute(mapping,form,request,response);
			forward = mapping.findForward("global.naoPermitido");
		return forward;
	public abstract ActionForward doExecute(ActionMapping mapping,
ActionForm form, HttpServletRequest request, HttpServletResponse
response) throws Exception;

public abstract class SecureAction extends BaseAction {

	protected boolean isUserInRole(HttpServletRequest request) {
		HttpSession session = request.getSession();
		return super.isUserInRole(request);


Now here's the question :

I'd like to have all SecureAction's subclasses to inform it's parent
class about which role is required to access that class. It would be
very nice if that could be done by configuration struts-config.

I was reading about the set-property param. So I could have a
role:String property on my SecureAction and all subclasses would have
accessor/muttators for it.

Which would be a nice design for this requirement? I mean, whats the
best alternative?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message