Preventing users from accesing action.

If you are using Struts 1.1, there is a roles attribute to the action mapping where you can specify standard JAAS roles. If you are not using container-managed security, you can create your own RequestProcess subclass, override the appropriate method to call your security, and then plug in your RequestProcess subclass.

If you are using Struts 1.0, people often write this sort of thing into a standard base Action class. On entering perform, the Action does a security check on itself, and if it passes, calls another method with the same signature (like, say, execute). Otherwise, it forwards off to whereever.

To store the security roles in Struts 1.0, you can add a public properties to your base Action (like, say, roles), and then use the set-property element to set the roles for each action.

The perform in your base Struts 1.0 Action could then run the security check if roles is not null, or skip it if not. If it passes, it can call the other signature.

If you use execute and roles for these extensions, you will also be upwardly compatible with Struts 1.1. Just be sure to have your execute method return Exception (which perform can then toss as a ServletException).

HTH, Ted

--
Ted Husted, Struts in Action.