[prev in list] [next in list] [prev in thread] [next in thread] 

List:       struts-user
Subject:    Re: Finegrained access control
From:       "Mark Lowe" <melowe () gmail ! com>
Date:       2006-02-28 23:46:47
Message-ID: 3e1257da0602281546m5b54fd90we070e341ee53137b () mail ! gmail ! com
[Download RAW message or body]

On 2/28/06, Dave Newton <newton@pingsite.com> wrote:
> Morten Andersen wrote:
> > Now if I can determine whether the user has logged in. How can I use
> > the request parameters to determine the users role on specific pages?
> > I know that I can invent my own control, it just seems like something
> > many others would need. Any tools available?

You'll know the user is logged in otherwise s/he can only see the login page.

When you login to a realm, non matter what you're using to login (jaas
module, jdbc/datasource realm auth, ldap) whatever, the authenticator
has to but a security principal in the user's session that must be
accessible by request.getUserPrincipal() also request.isUserInRole()
(or some jazz llike that).

First make sure you login is all working and then in you welcome page
do something like

<%= request.getUserPrincipal() %> if it works it should give you a
toString representation of a class that implements principal.. In
tomcat its something like GenericUserPrincipal.. Assuming you;ve used
a jbdc or datasource realm and the query works etc and so on the
Principal has the roles listed from the relevant query..

Get this far and you're done, you can use finer grained control (which
roles can do which actions in struts config).

<action path="/foo" roles="manager,slave" ..

Mark

>
> I still don't get this: why would you want request parameters to have
> anything to do with determining security/access levels? That seems
> really dangerous.
>
> Are you talking about adding request _attributes_ to determine view issues?
>
> Dave
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]