struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Refle <o.re...@gmx.de>
Subject RE: Struts declarative security policy? (was RE: Struts example - redundant login checking?)
Date Thu, 18 Apr 2002 15:03:10 GMT
If you are havin a application server, then you
have the possibility to define security per url.
so for example you can define for
$ROOT/role1
and everything under this directory the security for a
special role in web.xml. So you don't need to check on
every page, this is handled now from the app server.



-----Original Message-----
From: Dennis Doubleday [mailto:dennis@righthandmanager.com]
Sent: Thursday, April 18, 2002 4:56 PM
To: 'Struts Users Mailing List'
Subject: Struts declarative security policy? (was RE: Struts example -
redundant login checking?)


Seems to me that neither the jsp nor the action is the correct place to
enforce a security policy. It means both page designers and developers
have to remember to do it every time.

There ought to be (is there?) a mechanism for declaring a security
policy which can be referenced in struts-config.xml; i.e. access control
is just another property of an action mapping.

> -----Original Message-----
> From: Wittke Marcus-r32643 [mailto:Marcus.Wittke@motorola.com]
> Sent: Thursday, April 18, 2002 10:44 AM
> To: 'Struts Users Mailing List'
> Subject: RE: Struts example - redundant login checking?
>
>
> Since a user always has the chance to directly type into
> his/her browser the URL of JSP or action, you probably really
> need to check in both places.
>
> We're trying to avoid this with a Filter that does not allow
> users to directly request JSPs at all (i.e. all our links
> always go to actions and those internally forward to JSPs
> after they're done). This way we only need to check security
> in actions. (... just started using this approach; but it
> seems to work out fine)


--
To unsubscribe, e-mail:
<mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:struts-user-help@jakarta.apache.org>


--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message