From: http://www.onjava.com/pub/a/onjava/2004/02/18/strutssecurity.html
1. Extending the Struts ActionMapping class
public class StrutsPermissionMapping
extends ActionMapping {
private Integer actionId = null;
private String label = null;
private String canBeMadeAvailable = null;
private String canBeMadeEditable = null;
private String group = null;
private String role = null;
public StrutsPermissionMapping() {
super();
}
public Integer getActionId() {
return actionId;
}
public void setActionId(Integer id) {
this.actionId = id;
}
...
}
2. 修改后的struts-config.xml
<struts-config>
<form-beans>
<form-bean name="computeForm"
type="com.shiftat.oreilly.web.ComputeForm"/>
...
</form-beans>
<action-mappings>
<action
path="/compute"
type="com.shiftat.oreilly.web.ComputeAction"
name="computeForm"
scope="session"
input="/jsp/compute.jsp"
className=
"com.shiftat.struts.StrutsPermissionMapping"
unknown="false"
validate="false">
<set-property property="actionId"
value="160" />
<set-property property="label"
value="compute"/>
<set-property property="canBeMadeAvailable"
value="true"/>
<set-property property="canBeMadeEditable"
value="false"/>
<set-property property="group"
value="4"/>
<set-property property="role"
value="4"/>
<forward name="succes"
path="/jsp/result.jsp"
redirect="false"/>
</action>
...
</action-mappings>
</struts-config>
3. in the login action
3.1 Retrieves the user permissions from the datastore.
3.2 Retrieves the StrutsPermissionMappings from the Struts configuration.
3.3 Iterates over the user permissions and retrieves the corresponding StrutsPermissionMappings.
3.4 Stores each of the corresponding StrutsPermissionMappings in a new Map in the context for that user.
Map userActionPermissionMap
= retrievePortalUserActionPermissionMap(userId);
Map strutsConfigMap
= StrutsConfigurationHelperAction
.retrieveStrutsActionMapping(this, request);
Map userActionNamePermissionMap = new HashMap();
if (userActionPermissionMap.keySet() != null
&& userActionPermissionMap.keySet().size() >0) {
Iterator it
= userActionPermissionMap.keySet().iterator();
while (it.hasNext()){
Integer actionId = (Integer)it.next();
Integer permissionId
= (Integer)userActionPermissionMap
.get(actionId);
StrutsPermissionMapping mapping
= (StrutsPermissionMapping)strutsConfigMap
.get(actionId);
String actionPath
= strutsPermissionMapping.getPath();
userActionNamePermissionMap
.put(actionPath, permissionId);
}
}
context
.setAttribute("permissionmap",
userActionNamePermissionMap);
public class StrutsConfigurationHelperAction {
private static SortedMap actionMappingMap = null;
private static ModuleConfig mConfig = null;
public static SortedMap
retrieveStrutsActionMapping(Action action,
HttpServletRequest request) {
if (actionMappingMap == null){
actionMappingMap = new TreeMap();
mConfig = (ModuleConfig)request.
getAttribute(Globals.MODULE_KEY);
if (mConfig == null){
mConfig = (ModuleConfig)action.
getServlet().getServletContext().
getAttribute(Globals.MODULE_KEY);
}
if (mConfig != null){
ActionConfig[] acfg
= mConfig.findActionConfigs();
for (int i=0; i < acfg.length; i++){
ActionConfig actionConfig = acfg[i];
if (actionConfig instanceof
StrutsPermissionMapping){
StrutsPermissionMapping amp =
(StrutsPermissionMapping)
actionConfig;
actionMappingMap
.put(amp.getActionId(),amp);
} else {
//Regular ActionMapping
//without security attributes
}
}
} else {
System.err.println
("No Struts configuration !");
}
}
return actionMappingMap;
}
}
4. The check that the user has the necessary permission to call a certain action in the application can easily be done in a ServletFilter