RolesInterceptor (Struts 2 Core 2.6-SNAPSHOT API)

java.lang.Object
- com.opensymphony.xwork2.interceptor.AbstractInterceptor
- - org.apache.struts2.interceptor.RolesInterceptor

All Implemented Interfaces:

Interceptor, Serializable
```
public class RolesInterceptor
extends AbstractInterceptor
```
This interceptor ensures that the action will only be executed if the user has the correct role.

Interceptor parameters:
- allowedRoles - a comma-separated list of roles to allow
- disallowedRoles - a comma-separated list of roles to disallow
When both allowedRoles and disallowedRoles are configured, then disallowedRoles takes precedence, applying the following logic: (if ((inRole(role1) || inRole(role2) || ... inRole(roleN)) && !inRole(roleA) && !inRole(roleB) && ... !inRole(roleZ)) { //permit ...

There are three extensions to the existing interceptor:
- isAllowed(HttpServletRequest,Object) - whether or not to allow the passed action execution with this request
- handleRejection(ActionInvocation) - handles an unauthorized request.
- areRolesValid(List<String> roles) - allows subclasses to lookup roles to ensure they are valid. If not valid, RolesInterceptor will log the error and cease to function. This helps prevent security misconfiguration flaws.
```
  
  
  <action name="someAction" class="com.examples.SomeAction">
      <interceptor-ref name="completeStack"/>
      <interceptor-ref name="roles">
        <param name="allowedRoles">admin,member</param>
      </interceptor-ref>
      <result name="success">good_result.ftl</result>
  </action>
  
 
```
See Also:

Serialized Form

Field Summary

Fields
Modifier and Type Field and Description

protected List<String> allowedRoles

protected List<String> disallowedRoles

Fields
Modifier and Type	Field and Description
`protected List<String>`	`allowedRoles`
`protected List<String>`	`disallowedRoles`

Constructor Summary

Constructors
Constructor and Description

RolesInterceptor()

Constructors
Constructor and Description
`RolesInterceptor()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`protected boolean`	`areRolesValid(List<String> roles)` Extension point for sub-classes to test if configured roles are known valid roles.
`protected String`	`handleRejection(ActionInvocation invocation, javax.servlet.http.HttpServletResponse response)` Handles a rejection by sending a 403 HTTP error
`String`	`intercept(ActionInvocation invocation)` Override to handle interception
`protected boolean`	`isAllowed(javax.servlet.http.HttpServletRequest request, Object action)` Determines if the request should be allowed for the action
`void`	`setAllowedRoles(String roles)`
`void`	`setDisallowedRoles(String roles)`
`protected List<String>`	`stringToList(String val)` Splits a string into a List

Methods inherited from class com.opensymphony.xwork2.interceptor.AbstractInterceptor
destroy, init

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - allowedRoles
```
protected List<String> allowedRoles
```
  - disallowedRoles
```
protected List<String> disallowedRoles
```
- Constructor Detail
  - RolesInterceptor
```
public RolesInterceptor()
```
- Method Detail
  - setAllowedRoles
```
public void setAllowedRoles(String roles)
```
  - setDisallowedRoles
```
public void setDisallowedRoles(String roles)
```
  - intercept
```
public String intercept(ActionInvocation invocation)
                 throws Exception
```
    Description copied from class: AbstractInterceptor
    
    Override to handle interception
    
    Specified by:
    
    intercept in interface Interceptor
    
    Specified by:
    
    intercept in class AbstractInterceptor
    
    Parameters:
    
    invocation - the action invocation
    
    Returns:
    
    the return code, either returned from ActionInvocation.invoke(), or from the interceptor itself.
    
    Throws:
    
    Exception - any system-level error, as defined in Action.execute().
  - stringToList
```
protected List<String> stringToList(String val)
```
    Splits a string into a List
    
    Parameters:
    
    val - the string to split
    
    Returns:
    
    the string list
  - isAllowed
```
protected boolean isAllowed(javax.servlet.http.HttpServletRequest request,
                            Object action)
```
    Determines if the request should be allowed for the action
    
    Parameters:
    
    request - The request
    
    action - The action object
    
    Returns:
    
    True if allowed, false otherwise
  - handleRejection
```
protected String handleRejection(ActionInvocation invocation,
                                 javax.servlet.http.HttpServletResponse response)
                          throws Exception
```
    Handles a rejection by sending a 403 HTTP error
    
    Parameters:
    
    invocation - The invocation
    
    response - the servlet response object
    
    Returns:
    
    The result code
    
    Throws:
    
    Exception - in case of any error
  - areRolesValid
```
protected boolean areRolesValid(List<String> roles)
```
    Extension point for sub-classes to test if configured roles are known valid roles. Implementations are encouraged to implement this method to prevent misconfigured roles. If this method returns false, the RolesInterceptor will be disabled and block all requests.
    
    Parameters:
    
    roles - allowed and disallowed roles
    
    Returns:
    
    whether the roles are valid or not (always true for the default implementation)

Class RolesInterceptor

Field Summary

Constructor Summary

Method Summary

Methods inherited from class com.opensymphony.xwork2.interceptor.AbstractInterceptor

Methods inherited from class java.lang.Object

Field Detail

allowedRoles

disallowedRoles

Constructor Detail

RolesInterceptor

Method Detail

setAllowedRoles

setDisallowedRoles

intercept

stringToList

isAllowed

handleRejection

areRolesValid