How can I get the ActionServlet to forward to an Action only if the user has been authenticated and is in the correct security role as defined for the view in the web.xml file? Should I put this login checking functionality in the Action or the ActionServelt or somewhere else? Thanks.
I can think of two good places to put the check. Based on the security role (request.isUserInRole(XXX)) you could either NOT even give the user the opportunity to see the button/link on the jsp page or add it to the Action and have this be the first thing looked at. You might be able to get fancy and extend the standard Action class for specific instances and add the role checking in automatically, but that may be overkill or a bad design.
Joined: Sep 25, 2003
I'm basically just asking how to use declarative security with Struts. Any suggestions or ideas?
My two cents.... on page http://jakarta.apache.org/struts/userGuide/building_controller.html you will find a discussion on requestprocessor and how to use it. The RequestProcessor is where the majority of the core processing occurs for each request. Take a look, override the current requestprocessor and put a System.out.println(), or a Log.debug() in each method. Also in the ActionMappings in struts.config.xml you can add roles to the actions. In the processroles method you can check the person and the role it has against the roles in the action (the .do) and return a true or a false. If it is a false (not authorized) you can add a general error page saying no access, and otherwise you return true and processing continues. its just another way to do what you describe, but is it mentioned in the book ?