|
|
Authorization comes after authentication and usually means Who can access what? Mentawai comes with a simple yet powerful approach to user authorization. In Mentawai you have Groups and each group can have one or more Permissions. Examples are:
- Administrators: read, delete, write, create, adduser, deluser
- Managers: read, delete, write, create
- Users: read
A authenticated Mentawai user can belong to one or more groups, and that's indicated by the BaseLoginAction.setUserGroups() method.
Let's start by showing how you can set up groups and permissions for your web application inside your ApplicationManager.
When you are authenticating the user, you can say to what group he belongs to:
Then all you have to do is use the org.mentawai.filter.AuthorizationFilter to authorize access to your actions or the mentawai tags <mtw:requiresAuthorization /> and <mtw:hasAuthorization>. Examples:
But what happen if the user is not authorized and tries to access a page that requires authorization? He will be redirected to a denied page (Ex: denied.html). You can configure that page with a global consequence. Check the example below that also includes the org.mentawai.filter.AuthorizationFilter configuration:
You may click here to download an Authorization example.
|
![[Post New]](/templates/default/images/icon_minipost_new.gif){kind=icon}
