aspose file tools*
The moose likes Struts and the fly likes security check - authorization Security check on mothod and how to invoke javascript Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "security check - authorization Security check on mothod and how to invoke javascript " Watch "security check - authorization Security check on mothod and how to invoke javascript " New topic
Author

security check - authorization Security check on mothod and how to invoke javascript

Peter Primrose
Ranch Hand

Joined: Sep 10, 2004
Posts: 755
Hi all,

I'm implementing a security mechanism that checks if a user is authorized to execute a command.

For this I created a class 'Permission' that checks users permissions against the system's permission and if the user has this permission - user is authorized.

so basically it looks like this on the method:



1. I would like to know if anyone is using something alike (or maybe there's already a design pattern for this)

2. Say the user is not authorized, how do I invoke 'Javascript Alert' from the jsp page saying: "you are not authorized"

thank you!
Herman Schelti
Ranch Hand

Joined: Jul 17, 2006
Posts: 387
hi Peter,

you can program a forward to a "you are not autorised" page, or you can throw an exception and configure the forward.

I would not use an alert, just plain text, alerts can be very annoying if you get them a lot.
(and users that don't have javascript will never see them).

Herman

If possible: do your authorisation checks in 1 place, like in a Filter or some AbstractAction that your actions inherit from.
Brent Sterling
Ranch Hand

Joined: Feb 08, 2006
Posts: 948
I was going to suggest that you look at the processRoles method in the RequestProcessor class. This is from the 1.3 code base if the user does not have the role:

response.sendError(HttpServletResponse.SC_ FORBIDDEN, getInternal().getMessage("notAuthorized", mapping.getPath()));

I noticed that the 1.3 code base uses HttpServletResponse.SC_ FORBIDDEN (403), but the 1.1 code base (which I am still stuck using) uses HttpServletResponse.SC_BAD_REQUEST (400). Returning a 403 error is probably more valid. In either case the user will see a standard error page in their browser which may or may not be acceptable in your case.

- Brent
Peter Primrose
Ranch Hand

Joined: Sep 10, 2004
Posts: 755
thank you guys!

I practiced the processRoles and it works fine. problem is what if I have a dispatchAction with numeros methods and only 3 of them must be protected.

Q: how do I protect a *specific* action/method with processRoles?
* mind that there are 7 methods and 3 of which must be protected (please don't tell me I have to put them in a different class - maintenance nightmare)

thank you!
Brent Sterling
Ranch Hand

Joined: Feb 08, 2006
Posts: 948
There are a few reasons that I am not using DispatchAction and I guess you can add this as another one. It just seems like too often you need to be able to configure things like forwards or validation differently.

- Brent
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: security check - authorization Security check on mothod and how to invoke javascript