In our application we used what we called "guard tag". It is a simple custom tag, which contains something like this:
HttpSession session = pageContext.getSession(); String userID = (String)session.getAttribute(Constants.USERID_KEY); We put this tag in the beginning of a page: <acme:guard/> If there is no userID in the session, that the user is a guest. If userID exists, his credentials are verified. Different pages can have different tags, so it is not very flexible role-wize, but allows to create simple "guest"/"not guest" system. Pages marked with "not guest" are not shown to guests, as control is immediately dispatched by the tag to guard.do action, which shows login page. Your case is a little different, but maybe you will find our approach worth considering. Michael. On 4/25/05, Scott Purcell <[EMAIL PROTECTED]> wrote: > I am creating a shopping-cart type application using struts and have a > question. The site itself does not have any authentication on it, as people > just browse and add stuff to the cart. > > But the site does require some data manipulation into the database. Upon > thinking about this, I would like to be able to have "certain" users click a > administration link and be able to administer some product details, > quantities, colors, etc. > > I am trying to lay out a way to achieve this, and be secure at the same time. > I had thought about using the web-server authentication mechanism, or > form-based, and got confused. Most sites I have done use form-based, where we > pull out name, password from database, but I also believe some may use the > containers authentication scheme. > > Can anyone give me some advice, pros-cons, examples, links of how to move > foward with this. > > Thanks, > > Scott --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
