You want the convenience of container-managed security, yet need a custom mechanism for implementing your security policies.
Use the SecurityFilter (http://securityfilter.sourceforge.net) custom servlet filter and associated classes.
Container-managed security, as shown in Recipe 11.9, has some advantages:
When users attempt to access a protected URL, the container automatically prompts them to logon. Once authenticated, they are forwarded to the originally requested URL.
The user identity can be determined using the
getUserPrincipal( ) or
) methods of the
These methods can determine if a user is logged in.
You can determine if a user has a specific role using the
method of the
HttpServletRequest. Struts leverages
this feature to provide role-constrained actions via the roles
attribute. Struts provides for role-specific page generation using
custom JSP tag.
Container-managed security has drawbacks, such as portability. With container-managed security, the implementation is split between your web application and the application server. You usually must configure container-specific resources to specify the repository, known as a security realm, from which the container acquires the user's credentials and roles. Container-managed security will only prompt users to login if they attempt access of a protected ...