I think you will find information on container-based security in: 1) The J2EE tutorial from Sun 2) The Servlet Specification (should explain the method you cite as well as web.xml) 3) Articles/tutorials on JAAS
Since "container-based" security necessarily involves the container, you are going to have to consult vendor documentation as well. The gist of the process you are asking about is, when the user submits his username and password to a container-based logon module, the module finds the user in a database (often an XML file). The user is mapped to a group and/or roles via this database. The container loads the relevant mappings into memory and somehow binds them to the user's session. Thus, when you ask, isUserInRole(role), the container just consults those mappings. Tomcat comes with an example of this, see the documentation, and the file "tomcat-users.xml". Unfortunately with container-based security, you are stuck with a J2EE API that doesn't lend much granularity. I have usually gone the route of designing the security system as part of the application itself, depending on the application's requirements, and have forsaken container-managed security and those J2EE methods such as isUserInRole, unless the application is relatively simple. However, don't take that as advice necessarily. I would favor container-based security whenever it provides what you need without a lot of hassle. Hope that helps any. Erik -----Original Message----- From: Grzegorz Stasica <[EMAIL PROTECTED]> Sent: Jun 28, 2005 12:34 PM To: user@struts.apache.org Subject: isUserInRole - how it works hi, Actinally my question is how to access container from struts action but if I know how isUserInRole is working I'll be able to solve my main problem which is: Is it possible to access container from action. I'm using securityfilter which extends BaseRealm. In this way I can put additional parameter to user being authorized but the problem is that I'm not able to access it from the action. There is only function: request.isUserInRole() but unfortunatelly I do not know how it works --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
