tnx a lot but i am using struts 1.2.9 and at pressent time its difficalt
to upgrade to struts 2.x
Richard Sayre wrote:
An interceptor is exactly like a filter. I runs before and after an
action executes.
Check out the following:
http://struts.apache.org/2.x/docs/interceptors.html
http://struts.apache.org/2.x/docs/writing-interceptors.html
Also the 'FAQ" section at the bottom of the first like has some useful
information.
Here is my intercrept method from the SystemAdmin check:
public String intercept(ActionInvocation actionInvocation) throws Exception {
//get my user object form the session
Map session = ActionContext.getContext().getSession();
User user = (User)session.get(Constants.USER_SESSION_KEY);
boolean allowAccess = (null != user) && (user.getSystemAdmin());
if(allowAccess) {
return actionInvocation.invoke();
} else {
return BaseAction.NO_ACCESS;
}
}
Next I had to add the interceptor to my SysAdmin package:
<interceptors>
<interceptor name="accessChecker"
class="rs.app.SystemAdminAccessInterceptor"/>
<interceptor-stack name="sysAdminDefault">
<interceptor-ref name="accessChecker"/>
<interceptor-ref name="defaultStack"/>
</interceptor-stack>
</interceptors>
and change the default stack:
<default-interceptor-ref name="sysAdminDefault"/>
Now every action in that package will call my access checker before it
executes. If the check fails then the NO_ACCESS constant is returned
(which is a constant in my BaseAction class whcih equals "noAccess").
Now that I think about it, Im not sure if I should have put that
constant in that class......anyway...
I defined a global result to handle the noAccess result:
<global-results>
<result name="noAccess" type="redirect-action">
<param name="actionName">Home</param>
<param name="namespace">/</param>
</result>
</global-results>
This result returns the user to the Home screen. In my case the user
should never see the link that takes them to restricted parts of the
page. I wrote this in case a curious user started typing in URL's. I
don't give them an error I just kick them back to the main page.
On 8/6/07, Jim Theodoridis <[EMAIL PROTECTED]> wrote:
I wrote a "LoadApplication" action that executes after my user has
logged in. It checks the database to see what roes they have and it
fills the session with a few variables such as...
I am thinkng to do the same with filter is it possible?
I am using DispatchAction alot is it possible to allow a function action
like list and to deny create
tnx but i have never work with interceptor
Richard Sayre wrote:
I wrote a "LoadApplication" action that executes after my user has
logged in. It checks the database to see what roes they have and it
fills the session with a few variables such as
admin = true;
designer = false; etc.
by default they are all false.
Then I wrote an interceptor that checked their access from the
session. If they have access the Action they are requesting would
execute. If they did not have access I would redirect them to the
main page. You could also have the interceptor check the Database
directly. I am not a security expert, but this should be more secure
than storing those values in session. There will be more overhead in
checking the database before every action.
On 8/6/07, Jim Theodoridis <[EMAIL PROTECTED]> wrote:
Hello
I am using my own security manager to login to a struts application.
I am looking for a way to fires an action only when a user logs in
have the rights permissions
Any suggestions?
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
