I have an appication developed in struts. I have two interfaces one for student and another for admin. when I login as student I can access pages of Admin if I want to and vice sa versa. I want to stop this example if i log on as student and I cut copy paste a url from admin side i should not be able to view it.
Is there any way by which i can acheive this in struts.
However you do it, the important thing is that each Action for which only an administrator is allowed access must check the profile. If the profile is student, it should forward to a "Not Authorized" error page.
A similar task is currently on my "to do" list. I took a look at the other thread and I see that I added advice on how to create a custom ActionMapping class. I wonder if I could have given advice that would have made Dom's life easier.
Looking at the attributes available on the action element, I see one named roles. The basic description for this attribute is "A comma-delimited list of security role names allowed to invoke this Action." Maybe he did not need to create a custom ActionMapping class, but instead could have just used this attribute. That is what I plan on doing.
Looking at the default code in RequestProcessor, the code looks like what I need for my project. I already have roles defined in web.xml and users are mapped to roles. The default code throws a 400 error if the role check fails. I already have custom RequestProcessor, so it would not be a big deal to override the processRoles method if I wanted to customize the behavior.
The above assumes that you are using J2EE container security and making known your user's credentials to the container. For more details on this, read chapter 32 of Sun's J2EE Tutorial [ August 16, 2006: Message edited by: Merrill Higginson ]
Since I posted the above, I realized that the code in the Action class isn't necessary. If you specify one or more roles in your action mapping, Struts will check the roles before it calls execute on your Action class. If the user isn't authorized, I believe it sends a "404" exeption to the browser.
If I get something working I will let you know. For the record I have pasted the source code from Struts 1.1 source below. It is basically what Merrell posted. If you are not using J2EE...err...JEE security then it would be pretty easy to implement your own processRoles method. Maybe you could store a list of the user's current roles on the session and then check that against the list that you get from mapping.getRoleNames().
My one concern about using this mechanism is that it could introduce a lot of development and testing overhead to a large project. Think about defining exactly what roles should be applied to 100's of action mappings and then what if you add a new role. It is doable and maybe important enough that it should be done but it will be a bit of work for my team to retrofit into an existing application.