I am developing a Struts application, and am trying to design the authorization piece and would appreciate input. Authentication is being done using a Servlet Filter which does two things - validates a user's credentials with an LDAP server, and gets the names of the LDAP groups which the user is a member of. These group names are then stored in a User object in the session.
Now here is the part I am having difficulty with. Part of the model consists of "Category" objects which store a set of reader groups and edit groups. If the user is a member of one of the reader groups, they can view the category, and if they are a member of one of the edit groups they can perform SOME update operations on the category. The update operations are performed by ONE action which receives url parameters to further define which logic should be executed - this may have been a poor design decision but it would be a lot of work to change this now. When the update action is invoked it is passed one of 3 parameters in the url: EDIT,CREATE, or DELETE. The parameter that is passed will determine if the user can perform this action (for now users in the edit group will be able to EDIT but not CREATE OR DELETE, but I don't want to hard code this).
The way I was considering implementing this was by overriding SecureRequestProcessor.processPreProcess and extending ActionMapping. In the request processor I would grab the url parameter (if it existed) then go to the ActionMapping and get a parameter (something like editGroupCanExecute=true) and then act accordingly. But there a couple of things I don't like about this approach. First off, I am extending the request processor to add functionality that only pertains to some actions. Also, I am extending ActionMapping to add parameters that only apply to some actions. But I think I can just use the custom ActionMapping class for the actions to which it applies? Anyway, that about sums it up. Any help is appreciated. [ May 10, 2005: Message edited by: Steve Ford ]
Joined: Apr 19, 2004
I was hoping to get some input on this from some experienced Struts developers. Maybe I can wet your appetite with an update on some changes I have made to implement this.
First off I have split up the action which updates a Category, so now I have a seperate Action for EDITING, CREATING and DELETEING a Category, and a dispatch action which forwards to one of these 3.
Next I created a custom ActionMapping which will be used by actions which have anything to do with categories (ie. viewing or updating).
Finally, I extended RequestProcessor and I have my own processRoles method. This method looks at the action mapping and if it is an instance of my custom mapping, it then gets the Category from the request attribute or session, and performs the authorization logic for that Category.
Does this sound like a good approach? The final problem I am having, is that for some actions which are viewing or updating a Category, the Category is not set in the request or session, until the action executes. This means that I cannot get a hold on the Category in the processRoles method unless I get the Category id from the queryString. But what if the name of the id parameter changes? Or is different for different Actions? This gets messy! Any ideas?
subject: How would you do authorization for this app?