struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruce Geerdes <bruce.geer...@sun.com>
Subject Re: How can I make my logout page not secure?
Date Mon, 23 Sep 2002 19:41:54 GMT
Michael wrote:

> I feel that the user should never get a login
> page when clicking on the logout link, and should never get the logout
> page when logging in.  Yet with container managed security protecting
> *.do this is exactly what happens.

Yes.  The answer is to not put a security constraint around "*.do".

What I did was put a security contraint around "/s/*" and then definte my
"secure" actions with that prefix ("/s/account.change.do", "/s/login.do",
etc.).  In your case, it sounds like that'd be every action except for logout,
but I had a number of other actions that I wanted accessible before login
(create new account, read marketing propaganda, etc.).

Bruce


--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message