struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Benedict <pbened...@apache.org>
Subject Re: [s1] security filter for EventDispatchAction
Date Thu, 02 Aug 2007 04:07:37 GMT
Why would you filter on the event? You should filter on the URL.

Strachan, Paul wrote:
> Hi,
>
> Does Struts1 provide an example anywhere of how to use Servlet Filter to
> access the struts config?
>
> Thanks,
> Paul
>
>  
> -----Original Message-----
> From: Strachan, Paul [mailto:Paul.Strachan@det.nsw.edu.au] 
> Sent: Friday, 27 July 2007 3:47 PM
> To: user@struts.apache.org
> Subject: [s1] security filter for EventDispatchAction
>
> Hi,
>
>  
>
> For security/authorisation we use a servlet filter which checks the url
> against our security database.  We've recently upgraded to Struts 1.2.9
> and tried using EventDispatchAction, but the problem is the filter does
> not know which event to secure against (as the event name is arbitory
> value and only struts knows about it in the mapping).
>
>  
>
> The problem with using EventDispatchAction is we don't know the event
> parameter name is (ie what method Struts is going to execute) - to check
> if the user has access to this action/event/method.
>
>  
>
> I think I will need to access the struts-config (module relative) and
> EventDispatch logic from the Filter in order to deduce the current
> event.  Does this sound feasible and is there any good example to do
> this.
>
>  
>
> Thanks,
>
> Paul
>
>  
>
> Note - our approach works fine for urls mapped with
> MappingDispatchAction and DispatchAction (eg for the latter we know what
> the dispatch param name is)
>
>
> **********************************************************************
> This message is intended for the addressee named and may contain
> privileged information or confidential information or both. If you
> are not the intended recipient please delete it and notify the sender.
> **********************************************************************
> **********************************************************************
> This message is intended for the addressee named and may contain
> privileged information or confidential information or both. If you
> are not the intended recipient please delete it and notify the sender.
> **********************************************************************
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>   

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message