Role based authorizations to actions in Java/Struts

1
votes

I have an application based on Java/Struts/Hibernate. It has 2 types of users. Admin and Normal user. I created separate Struts pages for both roles and actions.

But when I type admin action in the URL after logged as Normal user, the admin pages are accessible to the normal user. How can I fix this?

i have entered action class of admin and user are in separate in xml pages and are included in the struts.xml page. if you're using the application everything works fine.but consider an action in struts-admin, e.g.: adminHome, it will be localhost:8080/app/adminHome. if a normal user logged in, the URL will be localhost:8080/app/normalHome. But if the normal user types changes normalHome to adminHome, he can access Admin pages.

UPDATE:

As I said earlier, I have admin and user actions in different packages in struts.xml. Can I get its package name in Java? Then I compare with user_role and direct to admin /normal pages..

2
javastruts2authorizationstrutsroles
post your code first.SatyaTNV
show us some code and what all ides / ways you have in mind.Bond - Java Bond
edited post. actually i need some authorization methods to perform in my application.Donyboy
Which Struts version? Show your code and configuration.Aleksandr M
I already have interceptors in my application. How can I customize it to select admin/user based on the action class?Donyboy

2 Answers

1
votes

See this code

In login action class write after user has entered correct details then

session.setAttribute("user_id","userid");//store user id in session scope
session.setAttribute("user_designation","userdesignation");//store designation in session scope

later return role (user designation) either admin or user in login action class.

return "userdesignation";//admin or user

in struts.xml write forwards conf to login action like

<action input="/index.jsp" name="Login_Check" path="/login" scope="request" type="com.mycompany.Login_Action" validate="true">
<forward name="admin" path="adminhome.jsp"/>//if action returns `admin`
<forward name="user" path="userhome.jsp""/>//if action returns `user`
</action>

In respective JSPs check designation like

if (session.getAttribute("user_designation").equals("admin"))//for admin JSPs (ex: adminhome.jsp)
{
     ..............//JSP content
}
else
response.sendRedirect("some page");

if (session.getAttribute("userd_esignation").equals("user"))//for user JSPs(ex: userhome.jsp)
{
     ..............//JSP content
}
else
response.sendRedirect("some page");

If true then only display respective JSP. Otherwise Plz! redirect him/her to login or index and display a message.

1
votes

You can try roles interceptor to suit your needs.

This interceptor ensures that the action will only be executed if the user has the correct role.

It has two parameters:

  • allowedRoles - a comma-separated list of roles to allow
  • disallowedRoles - a comma-separated list of roles to disallow

that you can configure in the action config. For example

<!-- only allows the admin roles -->
<action name="adminAction" class="com.examples.AdminAction">
    <interceptor-ref name="defaultStack"/>
    <interceptor-ref name="roles">
      <param name="allowedRoles">admin</param>
    </interceptor-ref>
    <result>good_result.ftl</result>
</action>

<!-- only allows the member roles -->
<action name="memberAction" class="com.examples.MemberAction">
    <interceptor-ref name="defaultStack"/>
    <interceptor-ref name="roles">
      <param name="allowedRoles">member</param>
    </interceptor-ref>
    <result>good_result.ftl</result>
</action>

This way you can use a roles interceptor to restrict access to the actions.