This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Struts and the fly likes Struts 2: Customizing interceptor stacks Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Struts 2: Customizing interceptor stacks" Watch "Struts 2: Customizing interceptor stacks" New topic
Author

Struts 2: Customizing interceptor stacks

Eric Nielsen
Ranch Hand

Joined: Dec 14, 2004
Posts: 194
I've noticed that the two currently published books take a very different approach to interceptor stacks.

Struts 2: A Tutorial: Seems to advocate building up an interceptor stack that works for the vast majority of your application and avoids special casing extra stacks unless absolutely required (and the custom stacks being incompatible with the primary stack).

Practical Apache Struts 2: Seems to advocate building custom stacks for just about every action. It was hard to tell is this was a pedagogical teaching tool, or actual design advice. (Feels like premature optimization at the expense of maintainability/comprehensiability)

Where do the authors of Struts 2 in Action fall on this topic?
chad michael davis
Author
Greenhorn

Joined: Mar 01, 2006
Posts: 27
I would definitely recommend against making new stacks for everything. I find it hard to believe that very many actions, or packages of actions, need a different stack than the rest.

There has been some discussion of performance issues related to unused interceptors in stacks, but I think the general consensus is that its not an issue.

We certainly show a conservative use of stack building in Struts 2 in Action. One of the biggest issues is that you will make troubleshooting very difficult the more you toy with the stack.

But this doesn't mean that you shoudl be scared of interceptors. We also encourage the creation of your own interceptors, and we show how to do that by demoing an "application" level authentication mechanism done in a custom interceptor.


Chad Davis<br />Co-author of Struts 2 in Action
Eric Nielsen
Ranch Hand

Joined: Dec 14, 2004
Posts: 194
Yeah, I've already adding three custom interceptors in my apps:

for authentication: (checks for the presence of a @Unprotected annotation on the action, if the annotation is NOT present, redirects to a login page if the user isn't logged in)

for authorization (checks the users roles against the parameters of an @AllowAccessTo annoation on the action, if fail redirect to a access denied page -- defaults to the admin role only if the annotation isn't present)

for user rehydration -- re-attach the logged in use to the persistence session

The first two help to create a "Secure By Default" approach -- the annotations are not inherited and unless they are present the actions are logged in, super-user only.
Chengwei Lee
Ranch Hand

Joined: Apr 02, 2004
Posts: 884
Yeah, I've already adding three custom interceptors in my apps:

for authentication: (checks for the presence of a @Unprotected annotation on the action, if the annotation is NOT present, redirects to a login page if the user isn't logged in)

for authorization (checks the users roles against the parameters of an @AllowAccessTo annoation on the action, if fail redirect to a access denied page -- defaults to the admin role only if the annotation isn't present)

for user rehydration -- re-attach the logged in use to the persistence session.


Why not add audit trail to your list?



SCJP 1.4 * SCWCD 1.4 * SCBCD 1.3 * SCJA 1.0 * TOGAF 8
Eric Nielsen
Ranch Hand

Joined: Dec 14, 2004
Posts: 194
because I haven't had that as a requirement, yet
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Struts 2: Customizing interceptor stacks
 
Similar Threads
Struts 2: HttpServletRequest is null
bypassing interceptors
STRUTS2: Help.. <s:actionerror/> has stopped working and I have no idea why
What are the features of Struts 2 which prompts someone to opt it as a framework?
interceptor not working