Applications should ensure users are properly authenticated and have sufficient permissions to access pages before content is displayed. Page-level access controls are one security control that enforces this behavior.
Struts 2 RolesInterceptor
In Part 2 of the page-level access controls article, a RolesInterceptor has been added to the struts.xml file. The "roleActions" parameter, passed to the interceptor, contains a list of actions allowed for each role. The "*" role indicates that any role can access the action.
In the ProcessSimpleLogin action, the "role" session variable has been added to include the name of the role that the user belongs to.
The code repository containing updated struts 2 modules can be found below:
Additionally, you can see discussion of these modules in my earlier blog posts: