Kelly.Graus wrote:
My questions:
1. I'm very new at Struts and servlet technologies in general. I'm
thinking that there might be ways for a user to add session objects, so they
could just add an object to the session with same names that I am using for
roles.
The session is managed by Tomcat/your container and if your webapp
created it only your web application can access it[footnote 1].
You just need ensure there's no way for one of your users to forge a
request that will cause your application enable additional roles.
It sounds like you're storing each role in the session as a separate
object. It would be better that your Principal is stored in the session
and has a collection of Roles on it.
Tomcat's GenericPrincipal is a good example:
http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/realm/GenericPrincipal.html
[footnote 1] This isn't entirely true - some containers allow you
configure sessions that can be shared across multiple webapps. It's just
not the default case.
Is this really the
case, and if so, is there a way to directly check the user roles in the jsp
page?
When your Principal is in the session and has a getRoles and hasRole
method then you can invoke these from within your action and jsp.
Make sure you provide protection at the action-level, not just the JSP,
as users can bypass the view. ie. don't just hide buttons in the JSP
Within your JSP's you can access the session through #session. I create
custom tags for this.
Within your actions you can implement SessionAware and/or PrincipalAware.
Protection at the action-level is where interceptors become important.
Rather than repeating the code (getPrincipal().hasRole("admin")), an
interceptor can used to protect many actions without duplicating code.
Acegi does is in a framework-independent and flexible manner, but it's
also common to create a simple Struts2 interceptor that gets the
Principal from the session and only allows the invocation to proceed if
the user has the appropriate role. You add the interceptor to your
Package in struts.xml, pass the role name through a Parameter and your
actions are all protected.
2. In my index.jsp, the links are set like so:
href="<s:url action="/jsp/protected/translator/GetTerm_input"/>"
Instead of resolving the link to something like
...TermsTranslator/jsp/protected/translator/GetTerm_input.action, it
resolves to
...TermsTranslator/jsp/protected//jsp/protected/translator/GetTerm_input.action.
It actually runs the actions, but there seems to be some problems with
them (I haven't had time to do more debugging with them yet). Is this
normal, or do I have the links screwed up somehow?
This is not normal and you've screwed up somehow. Remove the leading slash.
3. I don't yet fully understand the purpose of namespaces in the Struts
package definition. Currently I have two packages, public and protected.
Public has namespace="/jsp", and protected has namespace="/jsp/protected".
Does this sound correct? Or should I have 4 packages, with namespaces /jsp,
/jsp/protected/index, /jsp/protected/translator, and /jsp/protected/admin?
The namespace attribute of each package maps the actions in the package
to a base path as you've described.
What you have sounds correct. Create additional packages (eg.
/jsp/proected/admin) if you like the look of that URL for those specific
actions, or if you're like to apply different interceptors or security
constraints to that path.
It's okay to just have /jsp/protected/.
Hope that helps,
Jeromy Evans
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
