tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Gregg" <>
Subject front controller pattern and security
Date Thu, 13 Jun 2002 15:44:15 GMT
Hi all.

I've been thinking about how the j2ee front controller pattern (used by
Struts et al.) does/does not take advantage of url-based authorization
constraints in web.xml.  I want to avoid having to check roles in my own
code as much as possible.  At first I thought I could declare a URL like
/somewebapp/somerole/* to require the "somerole" role before being allowed
access to my controller servlet.  Another URL would be
/somewebapp/someotherrole/* but would map to the same servlet.  That servlet
would then pick off the action at the end of the URL and execute it.
However, while I can restrict access to the servlet, or whatever other
"physical" resource I'm trying to protect, what I really want to protect is
the action that's executed.  Am I just stuck with enumerating all possible
actions in by web.xml (/somewebapp/somerole/someaction,
/somewebapp/somerole/someotheraction, etc.)?  Should I instead make a filter
that enforces this for me?  I'm facing the same problem with Apache SOAP's



To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message