struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Khorramrouz, Turaj" <Turaj.Khorramr...@Dresdner-Bank.com>
Subject RE: security question
Date Mon, 01 Oct 2001 08:53:31 GMT
Hi Jonathan,
you don't have the problem with "RequestDispatching to JSPs underneath
WEB-INF"  in weblogic 5.1 with sp 10 any more.

regards, 

Turaj
 

-----Original Message-----
From: Jonathan M Crater [mailto:jonathan_m_crater@fanniemae.com]
Sent: Montag, 24. September 2001 17:49
To: struts-user@jakarta.apache.org
Subject: security question


i'm using weblogic 5.1, which does not allow RequestDispatching to JSPs
underneath WEB-INF.  so i'm stuck keeping my JSPs outside WEB-INF.  as a
result,
i have to secure requests to both JSPs and actions.  securing the actions is
just a matter of sub-classing ActionServlet and providing logic to check for
certain secured paths.  the problem is i don't want to repeat the logic in
the JSPs--either through a tag library or otherwise.  does anyone have any
suggestions as to how best to prevent a situation where a user requests a
JSP page directly when it should have gone through the sub-classed
ActionServlet?  i was thinking of just setting a request parameter for each
request as it passes through the ActionServlet.  that way, in the JSP i can
just test for that value to determine whether the request went through the
proper channel.  if not, i can redirect to an error page.

thoughts?  suggestions?


Mime
View raw message