Re: Basic security problem

2010-04-16 Thread Juan Chung
place your right control check in a filter, i.e whenever the user send a request to the server, retrieve its right information then compare the request uri, if match, the user has been granted to do so, or does not have the proper right. good luck. On 04/16/2010 10:36 AM, Stephane Cosmeur wrot

Re: Basic security problem

2010-04-16 Thread Dale Newfield
Hand-rolled security almost always has many holes. I would suggest using spring security. Cimballi wrote: One way to do it it to have a super action with a permission property, and you set the permission property with a static param in your struts xml files using the StaticParameters intercepto

RE: Basic security problem

2010-04-16 Thread adam pinder
> From: cosm...@gmail.com > Date: Fri, 16 Apr 2010 11:28:05 +0800 > Subject: Re: Basic security problem > To: user@struts.apache.org; cimba...@cimballi.net > > Thank you for answers. > > Your method looks good Cimbali. But do you think it would be really better > th

Re: Basic security problem

2010-04-15 Thread Stephane Cosmeur
Thank you for answers. Your method looks good Cimbali. But do you think it would be really better than an object which describe the role of the user stored in the session map ? At firstline of each action in java, i would have: 'if (role.hasRighMethodName == true) .. Do you think your method is

Re: Basic security problem

2010-04-15 Thread Cimballi
Hi Stephane, As Kun says, you have to test the role in your action. One way to do it it to have a super action with a permission property, and you set the permission property with a static param in your struts xml files using the StaticParameters interceptor. Then, you add a hasPermission method t

Re: Basic security problem

2010-04-15 Thread Kun Niu
You should check the authentication all by yourself in your action. Stephane Cosmeur wrote: Hello struts users I have a really basic security problem and i would like to know what is the best practice to resolve it. I have an application with an authentification system and diffrent rights for