struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rob <rob_m...@fastmail.fm>
Subject Re: Struts example - redundant login checking?
Date Thu, 18 Apr 2002 15:02:33 GMT
Wittke Marcus-r32643 wrote:
> Since a user always has the chance to directly type into his/her browser the
> URL of JSP or action, you probably really need to check in both places.

This is one of the motivations behind putting all of your .jsp pages
above the WEB-INF directory.  The servlet container does not allow
requests to paths that are /context/WEB-INF/pages/foo.jsp.  It does
however allow forwarding to pages above WEB-INF thereby enforcing the
rule of all requests going through the ActionServlet (controller) and
having the login checked prior to getting access to the page.

It's not difficult to do and it increases the security of the
application.

Rob

> 
> We're trying to avoid this with a Filter that does not allow users to
> directly request JSPs at all (i.e. all our links always go to actions and
> those internally forward to JSPs after they're done). This way we only need
> to check security in actions. (... just started using this approach; but it
> seems to work out fine)
> 
> Btw., if all you want to check is that the user is logged in (no special
> access control requirements) you can completely do that in a Filter, i.e.
> you can get along without any checking in your JSPs and actions. I think
> there have been a couple of discussions about how to user filters for this
> in this mailing list, before.
> 
> Marcus
> 
> -----Original Message-----
> From: Dennis Doubleday [mailto:dennis@righthandmanager.com]
> Sent: Thursday, April 18, 2002 9:18 AM
> To: 'Struts Users Mailing List'
> Subject: Struts example - redundant login checking?
> 
> 
> In the example app distributed with Struts, it seems redundant to have
> "<app:checkLogon/>" at the start of every jsp and ALSO to check for
> login in every action class. Is that required, or just a
> belt-and-suspenders intentional duplication?
> 
> 
> --
> To unsubscribe, e-mail:
> <mailto:struts-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:struts-user-help@jakarta.apache.org>
> 
> --
> To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>
> 
> 




--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message