struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amol Ghotankar <>
Subject Re: Authorization Best Practices
Date Wed, 07 Jul 2010 18:26:28 GMT
Dear List member,

The issue we are discussing here is Authorization using Struts2x.

Part 1. How to control access of actions

i.e which actions can be accessed by which user role

Part 2 . How to control access of  data from back end database based on

i.e how much data should be returned through called action, 10 rows, 100
rows or 1000 rows from database,  based on user role and/or called action.

Part 1 has been simple and several simple ways have solved this issue.

Part 2 is the major concern of discussion as isn't it a concern of MVC's C -
Controller to control the data also?

My actions know what data to be fetched but business layer can over-write it
where as the actual data is beneath the DAO layer.

So where can we intercept or we need to intercept all the three layers and
have a combined policy using them.


Amol Ghotankar

On Wed, Jul 7, 2010 at 11:41 PM, Ken <> wrote:

> On Wed, 2010-07-07 at 13:34 -0400, Dale Newfield wrote:
> > On 7/7/10 1:28 PM, Amol Ghotankar wrote:
> > > 2 . decide how much data to access.
> > >
> > > This I am really working something where struts2 intercepter will read
> what
> > > role the user has and set some global role for that reqest which will
> be
> > > read by dao to use to fetch the data.
> >
> > The interceptor cannot know independent of the action/business logic
> > what data will need to be fetched.  I don't think you can solve this
> > problem within struts  Even if you do, you've then built a toolset that
> > doesn't include any of these access restrictions in otherwise exposed
> > services.
> >
> > -Dale
> This is a hand rolled solution I used:
> Create an interceptor which checks if a User object exists when
> accessing a secure package, if it does not exist redirect the user to a
> login page and record the initial url (will redirect back to that page
> after login).  I use hibernate... so the user object contains a
> connection to the database.  If you're also using hibernate you'll
> notice you can supply the specific "hibernate.cfg.xml" when establishing
> the connection, by making this choice dependant on the particular user
> you can supply different database connections or even restrict data
> access.  In this case I think xml files are better than annotations as
> you don't need to change the POJO which the *.hbm.xml files refer to.
> Sorry I'm not sure I really understood the issue, but this helped me a
> lot and was very easy to implement.


With Best Regards,

Amol Ghotankar
Technical Director
Cursive Technologies Pvt. Ltd.
104, A1 Wing, W Sector,
Masulkar Colony, Ajmera,
Pimpri, Pune-18 INDIA
O: +91 2020 270 570
M: +91 9960 980 419

The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or telephone and delete the original message from your mail system.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message