struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Invocation of type conversion manually
Date Tue, 14 Dec 2010 02:27:03 GMT
Hi Maurizio, Li,
   Thanks for your suggestion, but the problem with the approaches you
suggested is that they link the security rules too much to the actions. We
want to be as abstract as possible. For that, we have developed the
following implementation:

   We created some entities called SecurityResource which represent a set of
possible user actions. For example, we can have a SecurityResource called
SeeCustomer, that would be applied to any request related with seeing a
customer, or a SecurityResource called ModifyOwnProfile, used to filter any
action related to the modification of the profile. Every Action (unless it
is public) in the system is associated to a resource.

   We have also define some entities called SecurityAssert. A SecurityAssert
is a rule that checks some conditions, and returns true or false. They are
implemented through classes that implement a specific interface. For each
SecurityResource we have a list of SecurityAsserts that need to be
validated. So our security definition look as follows:

        <security-assert-definition name="SecurityAssertHasRole"
            <description>Regla de seguridad para comprobar si un usuario
tiene un rol</description>

        <security-assert-definition name="SecurityAssertDistributionList"
            <description>Regla de seguridad para comprobar si un usuario
puede acceder a las listas de distribucion</description>

        <security-resource name="Eco">
            <security-assert-ref name="SecurityAssertHasRole"
                <parameter name="allowedRoles">

   Some of the rules need information from the request(customer number, for
example). In an ideal world the interceptor should not know anything about
the action it is trying to check. It should only invoke the rules, and check
their results. So I(the interceptor) should to be able to pass parameters
from the request to the rule without actually having to know anything about
the request or the rules. Maybe the approach is complex, but we are planning
to have some hundredths of actions, and be able to be as granular and
modular as possible with respect to security. Any ideas?



2010/12/12 Li Ying <>

> I think you don't need this bothering job.
> You can:
> (1)Define some properties in your base class of all your action classes.
> (2)Use these properties to capture data from the request.
> (3)Run your interceptor AFTER the interceptors of struts2.
> But BEFORE the execution of the Action class
> So,
> The interceptors of struts2 will do the data-conversion for you.
> Your interceptor can simply extract parameters all you need from the
> Action instance.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message