/** * If this action is protected by security roles, make sure that the current user possesses at * least one of them. Return <code>true</code> to continue normal processing, or <code>false * </code> if an appropriate response has been created and processing should terminate. * * @param request The servlet request we are processing * @param response The servlet response we are creating * @param mapping The mapping we are using * @return <code>true</code> to continue normal processing; <code>false</code> if a response has * been created. * @throws IOException if an input/output error occurs * @throws ServletException if a servlet exception occurs */ protected boolean processRoles( HttpServletRequest request, HttpServletResponse response, ActionMapping mapping) throws IOException, ServletException { // Is this action protected by role requirements? String[] roles = mapping.getRoleNames(); if ((roles == null) || (roles.length < 1)) { return (true); } // Check the current user against the list of required roles for (int i = 0; i < roles.length; i++) { if (request.isUserInRole(roles[i])) { if (log.isDebugEnabled()) { log.debug( " User '" + request.getRemoteUser() + "' has role '" + roles[i] + "', granting access"); } return (true); } } // The current user is not authorized for this action if (log.isDebugEnabled()) { log.debug( " User '" + request.getRemoteUser() + "' does not have any required role, denying access"); } response.sendError( HttpServletResponse.SC_FORBIDDEN, getInternal().getMessage("notAuthorized", mapping.getPath())); return (false); }