I'm relatively new to struts, but have a struts application that is working fine in read only mode. The next step for me is to add security. Based on a users login I want to be able to do the following:
1) limit what fields are displayed on screen and
2) display the fields as read only or input boxes for data manipulation
I am thinking of using XML as a configuration file for the application to define the role, field access, and field read vs. write. Another option is to store the same information in a database "access" table. I'm leaning toward the XML file, but not sure the best way to implement this solution in Struts.
Any help would be appreciated.
I have done some similar stuff; let me explain what I designed and then you could extract the stuff as per your requirements.
1) Application was struts based
2) App had to go through SiteMinder authentication first, and the SiteMinder would place the principal in the HTTP header, a secondary authorization was performed in the app server (We had implemented a Perimeter security plugin for Weblogic) ,you could have an HTTP filter to do that too. it would then extract information from LDAP and build an compact XML (on the fly)out of it.
3) The compacted XML is stored in the HTTP Sesssion (there could have been a smarter way to do that!)
I dont remember the details but here is a very rough sketch:
Note: Compacted means storing wildcards strings instead of all the elements, say if an Admin had all the rights, then we would rather store a * instead of (from the above XML) all the operations. And it would be resolved dynamically.
4) We wrote a custom XML query engine that could answer various questions on the XML, example : isAuthorizedForOperation("Add"),getSomeList('XXX') and so on.
Thus queries could be generated dynamically and resolved dynamically.
5) We built an JSP Taglibrary that wrapped our Query API.
6) It was used by JSP developers to render the Page.
Off course, you could read about writing custom Struts plugin , which is probably a much smarter way.