tags:

views:

39

answers:

1
Q: 

Restricting access to URLs in Struts 2

Is it possible to restrict access to certain URLs in Struts 2? I already have it so you can't access jsp's directly, but you can access them indirectly. For example if I have a jsp "blah.jsp" I can access it by typing "/blah" and if I don't have an Action called Blah.java, it will automatically go to the result, blah.jsp. Most of the time this is what I want, but there will be some jsps that I don't want to be access this way, like "blah-success.jsp". Is there a way to say that, I can't navigate to any url's that look like "/-success"?

Edit: I almost have it working...

    <constant name="struts.enable.SlashesInActionNames" value="true"/>

<package name="my-secure-url" extends="my-secure" namespace="/secure**">
    <action name="*"> 
        <interceptor-ref name="secureStack"/>
        <result>{1}</result>
    </action> 
</package>

This works if I try to visit "/secure/anything/anything/etc" and I'm not logged in, I get directed to the login page. However if I just logged in and I'm at "http://localhost:8080/Struts2NewChapter8/secure/admin-portfolio" and I click a link to "http://localhost:8080/Struts2NewChapter8/secure/update/update-account-form" I get errors that look like this:

    WARNING: Error setting expression '0' with value '/secure/update'
    ognl.InappropriateExpressionException: Inappropriate OGNL expression: 0
at ognl.SimpleNode.setValueBody(SimpleNode.java:312)
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
at ognl.SimpleNode.setValue(SimpleNode.java:301)
at ognl.Ognl.setValue(Ognl.java:737)
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:198)
at com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:161)
at com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:149)
at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:155)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:75)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:94)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:235)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:89)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:130)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at org.apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(DebuggingInterceptor.java:267)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:126)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:138)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:165)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:179)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:176)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at interceptors.AuthenticationInterceptor.intercept(AuthenticationInterceptor.java:92)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:237)
at org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:52)
at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:488)
at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:77)
at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Unknown Source)
A: 

But of course. Struts matches wildcard mappings in the order they appear in your config file, so the last one that matches a request will be the one used (i.e. less specific matches must be before more specific matches).

Something like this should do the trick:

 <action name="*">
   <result>/WEB-INF/jsp/{1}.ftl</result>
 </action>  

 <action name="*-success">
   <result>/WEB-INF/jsp/access-denied.jsp</result>
 </action>

The above will keep your current behaviour and cause any file with a -success suffix in the name to end up at access-denied.jsp.

Edit: You'll need to enable this property to have slashes in your action names:

<constant name="struts.enable.SlashesInActionNames" value="true"/>

To make it conditional, I would use an interceptor stack that checked if a user was logged in before forwarding to the .jsp:

 <action name="secure/*">
   <interceptor-ref name="authenticationStack"/>  
   <result>/WEB-INF/jsp/{1}.jsp</result>
 </action>

In your authenticationStack you would need an Interceptor that determines if a user is logged in. If not you would forward them to an access-denied.jsp type page from within the interceptor. The Struts docs on Interceptors should help you out.

Pat  2010-07-15 15:51:30
That's awesome. Thanks! I'm trying to do something a little bit similar now. Now the url I want to catch is anything in the "/secure/" area. So my action name is "*/secure/*" but this isn't working. Furthermore, is there a way to make it conditional? I only want to catch this if a user is not logged in.
JPC  2010-07-15 16:38:22
I tried your updates but they didn't work. I had the interceptor already in place, it's the struts.xml part that isn't working. The interceptor never gets called. I included the constant, and the action part.
JPC  2010-07-16 14:16:12
check out my edits
JPC  2010-07-16 15:11:11
Since you're now logged in and not being forwarded by the interceptor, my guess is that struts doesn't know how to handle the wildcard '/secure**' namespace definition.
Pat  2010-07-19 12:21:36

related questions

how to pass the stream result response in a jsp page(client)!!
struts2: s:checkbox doesn't go on the same row with s:checkbox
How to get ul structure from HTML
Struts2 parameters between actions
Html radio tag question
How can I translate the validation messages of Struts 2?
disabling the Validation in struts2 and use my own customized validation
Not getting the 'index" value from for loop to the if loop in the JSP
Struts 2 & Dojo files are too heavy and affect site's performance.. Any remedies?
Can Anyone Explain This Struts 2 AJAX Strange Refresh Behaviour?
Struts 2 + tiles + velocity interoperability?
Passing Parameter to struts2 component
Reading an email string from a cookie in java
Using Stream Result with Struts2
Creating friendly urls to dynamic resources in struts2
JSON RPC: java method never called, any ideas?
Struts2 Validation at the action vs domain object level
How do I reference assets from a different subdomain (or CDN) in production?
Struts2 - How to do dynamic URL redirects?
How can I serve an image to the browser using Struts 2 + Hibernate 3?
Struts2 Annotation-Validators for Invalid Chars
Suppress ClientAbortException in struts2 VelocityResult class
struts2: how to substring in jsp?
Stuts2 Tiles Tomcat suspected of changing UTF-8 to ?????
Struts 2: return to calling page