Selectively deny access to a subset of actions for a logged in User

Question

In my struts application, I want to selectively redirect some Users (based on their role) to a static page when they access some of the actions.

I am not looking for full fledged Authorization solution here, but my problem is very much similar.

Is there a way to put some flag or any other detail with an action in struts-config.xml which can be used in java code to identify if the actions fall in the category for which I want to deny access selectively?

NOTE: I do not directly extend org.apache.struts.action.Action for my actions. Instead I have defined an abstract class that extends org.apache.struts.action.Action and rest of the actions in my application extents this abstract class. Thus, I can perform validation here. I can identify the type of action here using the mappings.getPath(). But I dont want to hardcode the list of paths that I want to selectively deny access, instead I am looking forward if this can be configured in struts-config.xml.

Answer 1

This can be configured in the struts-config.xml file by using the roles attribute on the <action> configuration. You can specify the roles that your users should have to get access to that particular action.

With this you can avoid doing the test on the mappings.getPath() (which I agree with you that it is an ugly solution).

Once the roles configured, you could then create yourself a custom request processor to process those roles in whatever way you like.

You can find more information on Struts' security roles on the web, but here is a basic example to get you started.