struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis Doubleday" <>
Subject Struts declarative security policy? (was RE: Struts example - redundant login checking?)
Date Thu, 18 Apr 2002 14:56:11 GMT
Seems to me that neither the jsp nor the action is the correct place to
enforce a security policy. It means both page designers and developers
have to remember to do it every time.

There ought to be (is there?) a mechanism for declaring a security
policy which can be referenced in struts-config.xml; i.e. access control
is just another property of an action mapping.

> -----Original Message-----
> From: Wittke Marcus-r32643 [] 
> Sent: Thursday, April 18, 2002 10:44 AM
> To: 'Struts Users Mailing List'
> Subject: RE: Struts example - redundant login checking?
> Since a user always has the chance to directly type into 
> his/her browser the URL of JSP or action, you probably really 
> need to check in both places.
> We're trying to avoid this with a Filter that does not allow 
> users to directly request JSPs at all (i.e. all our links 
> always go to actions and those internally forward to JSPs 
> after they're done). This way we only need to check security 
> in actions. (... just started using this approach; but it 
> seems to work out fine)

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message