my dog learned polymorphism
The moose likes Struts and the fly likes How To Authenticate? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "How To Authenticate?" Watch "How To Authenticate?" New topic

How To Authenticate?

Anthony Watson
Ranch Hand

Joined: Sep 25, 2003
Posts: 327
How can I get the ActionServlet to forward to an Action only if the user has been authenticated and is in the correct security role as defined for the view in the web.xml file? Should I put this login checking functionality in the Action or the ActionServelt or somewhere else? Thanks.
brad balmer
Ranch Hand

Joined: Mar 08, 2004
Posts: 57
I can think of two good places to put the check.
Based on the security role (request.isUserInRole(XXX)) you could either NOT even give the user the opportunity to see the button/link on the jsp page or add it to the Action and have this be the first thing looked at.
You might be able to get fancy and extend the standard Action class for specific instances and add the role checking in automatically, but that may be overkill or a bad design.
Anthony Watson
Ranch Hand

Joined: Sep 25, 2003
Posts: 327
I'm basically just asking how to use declarative security with Struts. Any suggestions or ideas?
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15302

I would use a ServletFilter.

GenRocket - Experts at Building Test Data
frisode jonge
Ranch Hand

Joined: Dec 30, 2003
Posts: 34
My two cents....
on page
you will find a discussion on requestprocessor and how to use it.
The RequestProcessor is where the majority of the core processing occurs for each request. Take a look, override the current requestprocessor and put a System.out.println(), or a Log.debug() in each method.
Also in the ActionMappings in struts.config.xml you can add roles to the actions. In the processroles method you can check the person and the role it has against the roles in the action (the .do) and return a true or a false. If it is a false (not authorized) you can add a general error page saying no access, and otherwise you return true and processing continues.
its just another way to do what you describe, but is it mentioned in the book ?
I agree. Here's the link:
subject: How To Authenticate?
It's not a secret anymore!