Article:  |
Security in Struts: User Delegation Made Possible | |
| Subject: | checking constraints | |
| Date: | 2004-02-18 23:54:55 | |
| From: | yannc76 | |
| The check if the user has the necessary roles to execute the current action could also be moved to the RequestProcessor-class (Struts 1.1+), thereby freeing the Action-classes from the security-logic. | ||
Showing messages 1 through 1 of 1.
Resource Management: A Critical Look at RAII Michael Feathers
The Logs That Bind.. Michael Feathers
Outside the Design Boundary Michael Feathers
Can a program lie to you the way a story or essay can? Andy Oram
Contact Us | Advertise with Us | Privacy Policy | Press Center | Jobs
Copyright © 2000-2008 O'Reilly Media, Inc. All Rights Reserved. | (707) 827-7000 / (800) 998-9938
All trademarks and registered trademarks appearing on the O'Reilly Network are the property of their respective owners.
For problems or assistance with this site, email
The check that the user has the necessary permission to call a certain action in the application can easily be done in a ServletFilter, but other solutions are possible. For example, using the Tiles framework, it is also possible to create a special, tabbed-layout JSP that will hide the tabs that the user is not granted access to; you could create a tag library that provides you the tags for the use in the layout JSP. Just choose the approach which fits your architecture best.
The RequestProcessor is indeed a good location but a ServletFilter is equally suited, it just depends in what the flexibility is that you need. You might want to be able to switch off the security checks during development by commenting out the mapping of the ServletFilter in the web.xml but other solutions are certainly possible.