Class RolesInterceptor

java.lang.Object
org.apache.struts2.interceptor.AbstractInterceptor
org.apache.struts2.interceptor.RolesInterceptor
All Implemented Interfaces:
Serializable, ConditionalInterceptor, Interceptor

public class RolesInterceptor extends AbstractInterceptor

This interceptor ensures that the action will only be executed if the user has the correct role.

Interceptor parameters:

  • allowedRoles - a comma-separated list of roles to allow
  • disallowedRoles - a comma-separated list of roles to disallow

When both allowedRoles and disallowedRoles are configured, then disallowedRoles takes precedence, applying the following logic: (if ((inRole(role1) || inRole(role2) || ... inRole(roleN)) && !inRole(roleA) && !inRole(roleB) && ... !inRole(roleZ)) { //permit ...

There are three extensions to the existing interceptor:

  • isAllowed(HttpServletRequest,Object) - whether or not to allow the passed action execution with this request
  • handleRejection(ActionInvocation) - handles an unauthorized request.
  • areRolesValid(List<String> roles) - allows subclasses to lookup roles to ensure they are valid. If not valid, RolesInterceptor will log the error and cease to function. This helps prevent security misconfiguration flaws.
  <!-- START SNIPPET: example -->
  <!-- only allows the admin and member roles -->
  <action name="someAction" class="com.examples.SomeAction">
      <interceptor-ref name="completeStack"/>
      <interceptor-ref name="roles">
        <param name="allowedRoles">admin,member</param>
      </interceptor-ref>
      <result name="success">good_result.ftl</result>
  </action>
  <!-- END SNIPPET: example -->
 
See Also:
  • Field Details

    • allowedRoles

      protected List<String> allowedRoles
    • disallowedRoles

      protected List<String> disallowedRoles
  • Constructor Details

    • RolesInterceptor

      public RolesInterceptor()
  • Method Details

    • setAllowedRoles

      public void setAllowedRoles(String roles)
    • setDisallowedRoles

      public void setDisallowedRoles(String roles)
    • intercept

      public String intercept(ActionInvocation invocation) throws Exception
      Description copied from class: AbstractInterceptor
      Override to handle interception
      Specified by:
      intercept in interface Interceptor
      Specified by:
      intercept in class AbstractInterceptor
      Parameters:
      invocation - the action invocation
      Returns:
      the return code, either returned from ActionInvocation.invoke(), or from the interceptor itself.
      Throws:
      Exception - any system-level error, as defined in Action.execute().
    • stringToList

      protected List<String> stringToList(String val)
      Splits a string into a List
      Parameters:
      val - the string to split
      Returns:
      the string list
    • isAllowed

      protected boolean isAllowed(jakarta.servlet.http.HttpServletRequest request, Object action)
      Determines if the request should be allowed for the action
      Parameters:
      request - The request
      action - The action object
      Returns:
      True if allowed, false otherwise
    • handleRejection

      protected String handleRejection(ActionInvocation invocation, jakarta.servlet.http.HttpServletResponse response) throws Exception
      Handles a rejection by sending a 403 HTTP error
      Parameters:
      invocation - The invocation
      response - the servlet response object
      Returns:
      The result code
      Throws:
      Exception - in case of any error
    • areRolesValid

      protected boolean areRolesValid(List<String> roles)
      Extension point for sub-classes to test if configured roles are known valid roles. Implementations are encouraged to implement this method to prevent misconfigured roles. If this method returns false, the RolesInterceptor will be disabled and block all requests.
      Parameters:
      roles - allowed and disallowed roles
      Returns:
      whether the roles are valid or not (always true for the default implementation)