Package org.apache.struts2.interceptor
Class RolesInterceptor
java.lang.Object
org.apache.struts2.interceptor.AbstractInterceptor
org.apache.struts2.interceptor.RolesInterceptor
- All Implemented Interfaces:
Serializable
,ConditionalInterceptor
,Interceptor
This interceptor ensures that the action will only be executed if the user has the correct role.
Interceptor parameters:
- allowedRoles - a comma-separated list of roles to allow
- disallowedRoles - a comma-separated list of roles to disallow
When both allowedRoles and disallowedRoles are configured, then disallowedRoles takes precedence, applying the following logic: (if ((inRole(role1) || inRole(role2) || ... inRole(roleN)) && !inRole(roleA) && !inRole(roleB) && ... !inRole(roleZ)) { //permit ...
There are three extensions to the existing interceptor:
- isAllowed(HttpServletRequest,Object) - whether or not to allow the passed action execution with this request
- handleRejection(ActionInvocation) - handles an unauthorized request.
- areRolesValid(List<String> roles) - allows subclasses to lookup roles to ensure they are valid. If not valid, RolesInterceptor will log the error and cease to function. This helps prevent security misconfiguration flaws.
<!-- START SNIPPET: example --> <!-- only allows the admin and member roles --> <action name="someAction" class="com.examples.SomeAction"> <interceptor-ref name="completeStack"/> <interceptor-ref name="roles"> <param name="allowedRoles">admin,member</param> </interceptor-ref> <result name="success">good_result.ftl</result> </action> <!-- END SNIPPET: example -->
- See Also:
-
Field Summary
FieldsModifier and TypeFieldDescription -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected boolean
areRolesValid
(List<String> roles) Extension point for sub-classes to test if configured roles are known valid roles.protected String
handleRejection
(ActionInvocation invocation, jakarta.servlet.http.HttpServletResponse response) Handles a rejection by sending a 403 HTTP errorintercept
(ActionInvocation invocation) Override to handle interceptionprotected boolean
Determines if the request should be allowed for the actionvoid
setAllowedRoles
(String roles) void
setDisallowedRoles
(String roles) stringToList
(String val) Splits a string into a ListMethods inherited from class org.apache.struts2.interceptor.AbstractInterceptor
destroy, init, setDisabled, shouldIntercept
-
Field Details
-
allowedRoles
-
disallowedRoles
-
-
Constructor Details
-
RolesInterceptor
public RolesInterceptor()
-
-
Method Details
-
setAllowedRoles
-
setDisallowedRoles
-
intercept
Description copied from class:AbstractInterceptor
Override to handle interception- Specified by:
intercept
in interfaceInterceptor
- Specified by:
intercept
in classAbstractInterceptor
- Parameters:
invocation
- the action invocation- Returns:
- the return code, either returned from
ActionInvocation.invoke()
, or from the interceptor itself. - Throws:
Exception
- any system-level error, as defined inAction.execute()
.
-
stringToList
Splits a string into a List- Parameters:
val
- the string to split- Returns:
- the string list
-
isAllowed
Determines if the request should be allowed for the action- Parameters:
request
- The requestaction
- The action object- Returns:
- True if allowed, false otherwise
-
handleRejection
protected String handleRejection(ActionInvocation invocation, jakarta.servlet.http.HttpServletResponse response) throws Exception Handles a rejection by sending a 403 HTTP error- Parameters:
invocation
- The invocationresponse
- the servlet response object- Returns:
- The result code
- Throws:
Exception
- in case of any error
-
areRolesValid
Extension point for sub-classes to test if configured roles are known valid roles. Implementations are encouraged to implement this method to prevent misconfigured roles. If this method returns false, the RolesInterceptor will be disabled and block all requests.- Parameters:
roles
- allowed and disallowed roles- Returns:
- whether the roles are valid or not (always true for the default implementation)
-