struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Max Cooper" <>
Subject Re: Security Filter and ActionForm
Date Sat, 11 Jan 2003 02:19:43 GMT
You might not want to tell users what was wrong for security reasons. If
they type a username/password and can get a "username invalid" or "password
invalid" error, they will know when they have guessed a good username.
"passwords can only contain letters and digits", etc. also give away
information that you may want to protect. This may not be a major concern,
but it is good to be aware of such issues.

Assuming the info give-away from the specialized error messages is not a
significant concern, you could have a Struts Action as the error page. It
will populate an ActionForm, do validation, etc. It would be a second check
(inefficient) but you wouldn't have to modify (and maintain your
modification to) SecurityFilter to do it.

Perhaps some sort of error type system could be setup in SecurityFilter. It
would require changes/additions to the realm interface, but perhaps it is
worth it for this added functionality. It might be nice to incorporate
support for rules like "you have to change your password every X days", etc.
as well.


----- Original Message -----
From: "Curtney Jacobs" <>
To: "Struts Users Mailing List" <>
Sent: Friday, January 10, 2003 7:19 AM
Subject: Security Filter and ActionForm

> Greetings!!
> I have a login ActionForm (LogInForm) and a associated login Action class
> (LogInAction). When the form is submitted, the request is intercepted by a
> Security Filter. The Security filter authenticates and perform necessary
> authorization checks on the user via a ldap server.
> If the user authentication fails, let say because of an invalid password,
> can I use my ActionForm (LogInForm) to indicate this error to the user?
> I am aware that the Struts ActionForm and Action  have not even been
> instantiated/intitialize, since the security filter intercepted the
> I have thought of setting an attribute in the request scope, for example,
> "invalid flag" that the ActionForm validate method can check for. This
> then trigger the display of the login form and asociated error message to
> user.
> I am not sure if the above is good practice :(
> Any suggestions or comments will be much appreciated.
> Curtney Jacobs
> --
> --
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message