Reputation: 1213
struts2 check permission interceptor
In my current struts2 + spring web application, I have my custom userSessionInterceptor that works well. I now also want to start enforcing user roles as well. I have done many online researches, seems like there are many ways to do it, e.g. exceptions, sendRedirect
What is the most proper way to do this? I already have the user role saved in the user session and I have no problem detecting and spotting out the error. The only thing I need to decide is how to react to it when the permission is not right.
In the interceptator, I know i can return "xxx" and get to the "xxx" action. However, what I want to achieve is that when the user tries to do something that they have no permission, a message will be displayed. I assume I can return back to the previous page and add a parameter to the url.
Any tips on this?
Thanks
Upvotes: 0
Views: 2179
Answers (1)
Reputation: 3450
Here is a sample program.
RoleInterceptor.java
package com.sample.common.interceptor;
import javax.servlet.http.HttpSession;
import org.apache.struts2.ServletActionContext;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;
import com.opensymphony.xwork2.util.ValueStack;
public class RoleInterceptor implements Interceptor {
private static final long serialVersionUID = 5031826078189685536L;
@Override
public void init() {
}
@Override
public void destroy() {
}
@Override
public String intercept(ActionInvocation actionInvocation) {
String result = null;
try {
ActionContext actionContext = actionInvocation
.getInvocationContext();
ValueStack vStack = actionContext.getValueStack();
HttpSession httpSession = ServletActionContext.getRequest()
.getSession();
StringBuilder actionUrl = new StringBuilder(actionInvocation
.getProxy().getNamespace());
actionUrl.append("/");
actionUrl.append(actionInvocation.getProxy().getActionName());
if (httpSession != null) {
boolean hasPermission = true; // if the role has the permission
if (hasPermission) {
result = actionInvocation.invoke();
} else {
vStack.set("userMsg",
"You are not authorized to access this link");
result = "user.unauthorized";
}
} else {
vStack.set("userMsg", "Please login to your account");
result = "user.login";
}
} catch (Exception e) {
e.printStackTrace();
}
return result;
}
}
struts.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
"http://struts.apache.org/dtds/struts-2.0.dtd">
<struts>
<package name="userRoleInterceptor">
<interceptors>
<interceptor name="userRole"
class="com.sample.common.interceptor.RoleInterceptor" />
</interceptors>
</package>
<package name="user" namespace="/user" extends="struts-default, json-default, userRoleInterceptor">
<action name="user_details" method="getUserDetails"
class="com.sample.user.web.action.User">
<interceptor-ref name="userRole"/>
<interceptor-ref name="store">
<param name="operationMode">RETRIEVE</param>
</interceptor-ref>
<result name="success">userDetails.jsp</result>
<result name="input">/common/error.jsp</result>
<result name="busy" type="redirectAction" >/common/busy.jsp</result>
<result name="error" type="redirectAction" >/common/test.jsp</result>
<result name="user.login" type="redirectAction" >/common/login.jsp</result>
<result name="user.unauthorized" type="redirectAction" >/common/unauthorizedUser.jsp</result>
</action>
</package>
</struts>
Upvotes: 1
Related Questions
- How to apply Spring Security on Struts 2
- Unable to determine whether the interceptor is working or not in Struts2
- Using Interceptor to validate user access privilege
- To check whether that user already exists or not in struts2
- How to check permission in jsp if tag
- Struts2 letting an interceptor not run for certain classes
- determine target url based on roles for struts2
- Struts2 Authorization
- Spring security and Struts 2
- Struts2 :Can Interceptors can handle Unauthorized Access?