Re: Secure generic dispatcher ..
On Mon, 20 May 2002, Victor Hadianto wrote: Date: Mon, 20 May 2002 14:15:30 +1000 From: Victor Hadianto [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED], [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Subject: Re: Secure generic dispatcher .. I have posted this question last Friday and have no reply. Posted again hoping that someone who got an idea might missed my email last Friday. I will be eternally grateful for anyone who can suggest me a solution. Container-managed security is only invoked on the original request, not on RequestDispatcher calls -- it is assumed that, if your application performs this call, then it must be satisfied that the user has the right access privileges. Ta, Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Secure generic dispatcher ..
I have posted this question last Friday and have no reply. Posted again hoping that someone who got an idea might missed my email last Friday. I will be eternally grateful for anyone who can suggest me a solution. Ta, On Fri, 17 May 2002 16:01, you wrote: I have implemented a generic dispatcher ActionClass to forward requests to my JSP. I mapped this generic dispatcher to two different mappings ie: action path=/dispatch type=com.nuix.DispatchForwardAction/ action path=/secure/dispatchtype=com.nuix.DispatchForwardAction/ The idea is that anything under /secure is protected using the WebContainer security mechanism. Funnily enough I never realise until recently that user can just simply forward to my secure JSP files using the non-secure dispatcher! Hah .. so much for this idea :D For example: What I inteded to do is something like this: /secure/dispatch.do?forward=homepage Because dispatch is under /secure , WebContainer will invoke the login/password screen, however smart and curious user can just type /dispatch.do?forward=homepage And voila they will go to the homepage withouth going through the login/password screen. Does anyone has a better way of implementing the generic dispatcher? Any help are appreciated. Ta, -- Victor Hadianto --- Why is Bottom-posting better than Top-posting http://www.fmf.nl/~anton/topposting.html -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Secure generic dispatcher ..
Cannot just check in your dispatch action to see that they are logged in (by looking for something you put into the session context in the login action) and if not always just route them to login page regardless of whatever forward parameter they actually specify? -Original Message- From: Victor Hadianto [mailto:[EMAIL PROTECTED]] Sent: Monday, May 20, 2002 12:16 To: Struts Users Mailing List Subject: Re: Secure generic dispatcher .. I have posted this question last Friday and have no reply. Posted again hoping that someone who got an idea might missed my email last Friday. I will be eternally grateful for anyone who can suggest me a solution. Ta, On Fri, 17 May 2002 16:01, you wrote: I have implemented a generic dispatcher ActionClass to forward requests to my JSP. I mapped this generic dispatcher to two different mappings ie: action path=/dispatch type=com.nuix.DispatchForwardAction/ action path=/secure/dispatchtype=com.nuix.DispatchForwardAction/ The idea is that anything under /secure is protected using the WebContainer security mechanism. Funnily enough I never realise until recently that user can just simply forward to my secure JSP files using the non-secure dispatcher! Hah .. so much for this idea :D For example: What I inteded to do is something like this: /secure/dispatch.do?forward=homepage Because dispatch is under /secure , WebContainer will invoke the login/password screen, however smart and curious user can just type /dispatch.do?forward=homepage And voila they will go to the homepage withouth going through the login/password screen. Does anyone has a better way of implementing the generic dispatcher? Any help are appreciated. Ta, -- Victor Hadianto --- Why is Bottom-posting better than Top-posting http://www.fmf.nl/~anton/topposting.html -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Secure generic dispatcher ..
On Mon, 20 May 2002 14:41, you wrote: Cannot just check in your dispatch action to see that they are logged in (by looking for something you put into the session context in the login action) and if not always just route them to login page regardless of whatever forward parameter they actually specify? Yes I can, but it introduces some session checking routine that I avoided in the first place by using Tomcat to handle the authentication and authorisation. I tried to find a cleaner (if any) solution that does not include session checking. -- Victor Hadianto --- Why is Bottom-posting better than Top-posting http://www.fmf.nl/~anton/topposting.html -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Secure generic dispatcher ..
I have implemented a generic dispatcher ActionClass to forward requests to my JSP. I mapped this generic dispatcher to two different mappings ie: action path=/dispatch type=com.nuix.DispatchForwardAction/ action path=/secure/dispatchtype=com.nuix.DispatchForwardAction/ The idea is that anything under /secure is protected using the WebContainer security mechanism. Funnily enough I never realise until recently that user can just simply forward to my secure JSP files using the non-secure dispatcher! Hah .. so much for this idea :D For example: What I inteded to do is something like this: /secure/dispatch.do?forward=homepage Because dispatch is under /secure , WebContainer will invoke the login/password screen, however smart and curious user can just type /dispatch.do?forward=homepage And voila they will go to the homepage withouth going through the login/password screen. Does anyone has a better way of implementing the generic dispatcher? Any help are appreciated. Ta, -- Victor Hadianto --- Why is Bottom-posting better than Top-posting http://www.fmf.nl/~anton/topposting.html -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]