struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Graham" <>
Subject RE: Security and Struts
Date Tue, 30 Jul 2002 22:03:22 GMT
I've done it by using a custom tag on all the secured pages that checks the 
login but this isn't ideal.  I could forget to put the tag in and I have to 
do it for every page.

If you let struts do it then you can't let people go to .jsp pages directly 
and I find this irritating at best.

Should you only use struts for the webforms and not for public display 
pages?  I've always been a bit confused by this.  It seems that struts was 
designed for the forms stuff but not necessarily to sit in front of your 
whole app.


>I tend to think the action is the wrong place for this sort of thing. I
>could be wrong but that's just how it occurs to me. It seems that this
>should either be handled in front of your web application (using
>cma/filters) or by the front controller components in the struts
>framework (NOTE: requests that do not map to the controller servlet,
>like requests directly to a jsp page, will not invoke your request
>processing logic).
>Struts also helps you along here. It provides a way for you to
>*declare*, along with each action mapping (in struts-config.xml), a
>specific set of roles that have access to the given action. Then, the
>RequestProcessor defines the method processRoles() that you are free to
>override, but by default it will invoke:
>for each role declared in the action mapping. If the user is found to be
>included in any of the roles then processRoles() returns true, otherwise
>it returns false. True is also returned in the case where no roles are
>declared on the action mapping. Check out the struts source for more
>Unless you use the cma/filters approach (and I haven't, so I don't know
>what the issues are there), there will still be some details for you to
>work out with respect to getting an authenticated user into the session.
>This could be handled in a number of different ways. One that occurs to
>me, off the top of my head, would be to wire a login page into the page
>that is forwarded when processRoles() returns false...
>There may be some mis-truths in what I have said here, I am currently
>working through some of this stuff, but in general I think the idea is
>sound. Certainly having declarative security is something that you
>should strive for...
>If anyone has feedback on what I've said here, I would love to hear it!
>Thanks & Good Luck,
>On Tue, 2002-07-30 at 12:59, Nelson, Tracy (ETW) wrote:
> > I'd have each form check authorization.  That way, if someone bookmarks 
> > page (or guesses its URL) they won't bypass your security scheme.  You 
> > have a global exception set up in your configuration file that forwards 
> > an "Access denied" page whenever one of your forms threw a 
> > exception.  (NOTE: I am just learning Struts and haven't even written my
> > first application using it yet.  I may not know what I am talking 
> >
> > Cheers!
> > -- Tracy
> >
> > -----Original Message-----
> > From: Ryan Cuprak []
> > Sent: Tuesday, July 30, 2002 11:53
> > To:
> > Subject: Security and Struts
> >
> >
> >
> > Hello,
> >  I was hoping someone would have some advice on securing a website using
> > struts. I am developing a webapp that has to be secure (password 
> > and which restricts access to different parts of the site depending on 
> > roles a user possesses. The roles each user has are stored as XML in a
> > database and may be configured by an administrator. Does struts have any
> > built-in security capabilities that I could take advantage of?
> >
> >
> >  Any help/pointers would be much appreciated!
> >
> >  My first guess would be to put all jsp pages in WEB-INF (use only
> > ForwardAction to get to each page) and subclass ActionServlet with the 
> > for check authentication etc. However, will this cause any problems when 
> > comes to a user book marking a page?
> >
> > Thanks,
> > -Ryan Cuprak
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <>
> > For additional commands, e-mail:
> > <>
> >
> >
> >
> > --
> > To unsubscribe, e-mail:   
> > For additional commands, e-mail: 
> >
>To unsubscribe, e-mail:   
>For additional commands, e-mail: 

Send and receive Hotmail on your mobile device:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message