Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

security check - authorization Security check on mothod and how to invoke javascript

 
Peter Primrose
Ranch Hand
Posts: 755
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I'm implementing a security mechanism that checks if a user is authorized to execute a command.

For this I created a class 'Permission' that checks users permissions against the system's permission and if the user has this permission - user is authorized.

so basically it looks like this on the method:



1. I would like to know if anyone is using something alike (or maybe there's already a design pattern for this)

2. Say the user is not authorized, how do I invoke 'Javascript Alert' from the jsp page saying: "you are not authorized"

thank you!
 
Herman Schelti
Ranch Hand
Posts: 387
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi Peter,

you can program a forward to a "you are not autorised" page, or you can throw an exception and configure the forward.

I would not use an alert, just plain text, alerts can be very annoying if you get them a lot.
(and users that don't have javascript will never see them).

Herman

If possible: do your authorisation checks in 1 place, like in a Filter or some AbstractAction that your actions inherit from.
 
Brent Sterling
Ranch Hand
Posts: 948
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was going to suggest that you look at the processRoles method in the RequestProcessor class. This is from the 1.3 code base if the user does not have the role:

response.sendError(HttpServletResponse.SC_ FORBIDDEN, getInternal().getMessage("notAuthorized", mapping.getPath()));

I noticed that the 1.3 code base uses HttpServletResponse.SC_ FORBIDDEN (403), but the 1.1 code base (which I am still stuck using) uses HttpServletResponse.SC_BAD_REQUEST (400). Returning a 403 error is probably more valid. In either case the user will see a standard error page in their browser which may or may not be acceptable in your case.

- Brent
 
Peter Primrose
Ranch Hand
Posts: 755
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thank you guys!

I practiced the processRoles and it works fine. problem is what if I have a dispatchAction with numeros methods and only 3 of them must be protected.

Q: how do I protect a *specific* action/method with processRoles?
* mind that there are 7 methods and 3 of which must be protected (please don't tell me I have to put them in a different class - maintenance nightmare)

thank you!
 
Brent Sterling
Ranch Hand
Posts: 948
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There are a few reasons that I am not using DispatchAction and I guess you can add this as another one. It just seems like too often you need to be able to configure things like forwards or validation differently.

- Brent
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic