February 2005
Intermediate to advanced
528 pages
12h 53m
English
You want to allow a user to access an action if that user has a specific role.
Use the roles attribute of the
action element to specify the roles that are
permitted to use the action:
<!-- Display all users -->
<action path="/ViewUsers"
forward="/view_users.jsp"
roles="manager,sysadmin"
/>Struts actions, configured via the action element
in the struts-config.xml file, can be restricted
to certain roles using the roles attribute. This
attribute accepts a comma-separated list of role names. When a
request is received for the action, the
RequestProcessor.processRoles( ) method checks
that the user has at least one of the roles specified. If the user
doesn't have one of the roles, the HTTP 403 error
(Forbidden) is sent; otherwise, processing continues normally. Here
is the processRoles( ) method from the Struts
RequestProcessor:
protected boolean processRoles( HttpServletRequest request,
HttpServletResponse response,
ActionMapping mapping )
throws IOException, ServletException {
// Is this action protected by role requirements?
String roles[] = mapping.getRoleNames( );
if ((roles == null) || (roles.length < 1)) {
return (true);
}
// Check the current user against the list of required roles
for (int i = 0; i < roles.length; i++) {
if ( request.isUserInRole(roles[i]) ) { if (log.isDebugEnabled( )) { log.debug(" User '" + request.getRemoteUser( ) + "' has role '" + roles[i] + "', granting access"); } return (true); } } // The current ...