Re: Design question regarding struts security features

[Patrick Scheuerer]

Mohan Radhakrishnan wrote:

  I think you can also use the role attribute in struts-config.xml and
restrict access actions. Tiles has a role attribute too ? though we are not
using that.
 

I came across the role tag of tiles as well, but I guess it's suitable 
only if you want to restrict some area of the user interface (let's say 
a special panel for administrators).
Where can I find more information about the role attribute in 
struts-config.xml? I couldn't find anything in the Struts User's Guide...

Thanks, Patrick

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Design question regarding struts security features

[Mohan Radhakrishnan]

Hi
   Are you only filtering data based on role ?

   If you are talking about role-based access of views then we are doing
something like that

   1. You can use Container Manager Authentication and restrict access to
URL patterns to only valid users.
   2. You can use the vendor-specify XML file to specify roles and groups.
(e.g) principals.xml in OC4J
   3. You can use a vendor-specific API like the 'DataSourceUserManager' in
OC4J to write custom code that can access your tables and do away with
hard-coded principals.xml
   I think you can also use the role attribute in struts-config.xml and
restrict access actions. Tiles has a role attribute too ? though we are not
using that.

Mohan

-Original Message-
From: Patrick Scheuerer [mailto:[EMAIL PROTECTED]
Sent: Monday, December 29, 2003 5:07 AM
To: Struts Users List
Subject: Design question regarding struts security features


Hello everybody,

I'm in the process of developing my first Struts application, so forgive
me if this question is insulting everybody's intellect.

The application I'm working on is a support portal where you can
download technical document, drivers etc. The tricky part is, that
certain documents should be only accessible to users with a certain role.

My idea so far is to put a user object in the session and to evaluate
the role (and therefore the access level) of the user for all views that
are displaying  data which might be restricted.
I guess the easiest way would be using a jsp tag like
 which would retrieve the user object from
the session (if it exists) and the then filter the data accordingly. Is
there such "security taglib" around?

Has anybody worked on a similar scenario? What is the best approach to
solve this problem? Is there a best practice for it? Any tips, hints,
code snippets are welcome.

Thank you very much.

Patrick


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Design question regarding struts security features

[Robert Taylor]

You should be able to do this with standard J2EE security provided
by your web container.

If you store your user credentials in a database, then you may want
to look at SecurityFilter:

http://sourceforge.net/projects/securityfilter/

It allows you to leverage standard J2EE security features but provides
more flexible authentication. 

robert

> -Original Message-
> From: Patrick Scheuerer [mailto:[EMAIL PROTECTED]
> Sent: Sunday, December 28, 2003 6:37 PM
> To: Struts Users List
> Subject: Design question regarding struts security features
> 
> 
> Hello everybody,
> 
> I'm in the process of developing my first Struts application, so forgive 
> me if this question is insulting everybody's intellect.
> 
> The application I'm working on is a support portal where you can 
> download technical document, drivers etc. The tricky part is, that 
> certain documents should be only accessible to users with a certain role.
> 
> My idea so far is to put a user object in the session and to evaluate 
> the role (and therefore the access level) of the user for all views that 
> are displaying  data which might be restricted.
> I guess the easiest way would be using a jsp tag like 
>  which would retrieve the user object from 
> the session (if it exists) and the then filter the data accordingly. Is 
> there such "security taglib" around?
> 
> Has anybody worked on a similar scenario? What is the best approach to 
> solve this problem? Is there a best practice for it? Any tips, hints, 
> code snippets are welcome.
> 
> Thank you very much.
> 
> Patrick
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Design question regarding struts security features

[Patrick Scheuerer]

Hello everybody,

I'm in the process of developing my first Struts application, so forgive 
me if this question is insulting everybody's intellect.

The application I'm working on is a support portal where you can 
download technical document, drivers etc. The tricky part is, that 
certain documents should be only accessible to users with a certain role.

My idea so far is to put a user object in the session and to evaluate 
the role (and therefore the access level) of the user for all views that 
are displaying  data which might be restricted.
I guess the easiest way would be using a jsp tag like 
 which would retrieve the user object from 
the session (if it exists) and the then filter the data accordingly. Is 
there such "security taglib" around?

Has anybody worked on a similar scenario? What is the best approach to 
solve this problem? Is there a best practice for it? Any tips, hints, 
code snippets are welcome.

Thank you very much.

Patrick

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: struts security

[Adam Hardy]

On 10/21/2003 03:11 PM ajay brar wrote:
hi!
i need to implement the following security features in my security 
application.
authentication
which is better - have a login page and keep some sort of bean in 
session on successful login
and check for the ban in every action(and 
have no direct links)
   OR use realms, define user roles etc
   (i have only 2 classes of users at the moment, the max number 
will be 4)
confidentiality - should i implement my own encryption protocol, like a 
function that takes a string,
gets a symmetric key(or private key if using public 
key encryption) and encrypt and send
   the data
integrity - again what should be my approach?
non-repudiation - digital signatures
prevent replay attacks - ???

how do i support ssl in struts?

any pointers and references would be most welcome
You mean to ask, should you use container-managed security or not?

I would check out the mailing list archives because there are some very 
interesting posts from the last 6 months or so that address this issue. 
IIRC the deciding factor is how complicated your role & authorisation 
implementation is.

For ssl in struts, check out sslext at sourceforge - there is a link to 
it from the struts website.

HTH
Adam
--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

struts security

[ajay brar]

hi!
i need to implement the following security features in my security 
application.
authentication
which is better - have a login page and keep some sort of bean in 
session on successful login
and check for the ban in every action(and have 
no direct links)
   OR use realms, define user roles etc
   (i have only 2 classes of users at the moment, the max number will 
be 4)
confidentiality - should i implement my own encryption protocol, like a 
function that takes a string,
gets a symmetric key(or private key if using public key 
encryption) and encrypt and send
   the data
integrity - again what should be my approach?
non-repudiation - digital signatures
prevent replay attacks - ???

how do i support ssl in struts?

any pointers and references would be most welcome

thanks
ajay
_
Hot chart ringtones and polyphonics. Go to  
http://ninemsn.com.au/mobilemania/default.asp

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Struts security

[Butt, Dudley]

why not just use openldap? Its great, and it can be used as the basis for a single 
signon, I generally try to avoid doing user access and security in
a SQL db, as it then ties your app to that security model and kind of makes it 
unusable tfor anyone else.
I then have a ldap utility that looks up the user and his roles when you can then 
apply a check like hasKey or isSuperUser.

What u guys think?

-Original Message-
From: Stefan Trcko [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 09, 2003 9:57 AM
To: [EMAIL PROTECTED]
Cc: Struts Users Mailing List
Subject: Re: Struts security


Where do you store user rights (which actions user can perform).
I think of storing user rights and actions which he can perform in
the database and then in every action class perform SQL with username (from
session)
and current performed action. If SQL return that user can perform this
action
then forward to success page else to error page.

What do you think? Is this good solution?

Regards
Stefan


- Original Message - 
From: "muzammil shahbaz" <[EMAIL PROTECTED]>
To: "zzStruts Users Mailing List" <[EMAIL PROTECTED]>
Sent: Thursday, October 09, 2003 9:43 AM
Subject: RE: Struts security


> This can simple be done by authorizing user in each action class. We
> have request & session attributes which may be helpful for checking the
> current state of user.
>
> Before doing any processing, first of all, process user authentication
> and if finds any restriction then forward the action to appropriate
> error page.
>
> Regards,
> MMS
>
> --
> From:  Stefan Trcko [SMTP:[EMAIL PROTECTED]
> Sent:  Thursday, October 09, 2003 12:29 PM
> To:  Struts Users Mailing List
> Subject:  Struts security
>
> Hello
>
> I want to implement security in my struts web portal, so
> that I can restrict users which actions they can
> perform.
>
> Has anybody already worked on this kind of security in
> Struts?
>
> Thanks in advice
> Stefan
>
>
>
>
>
> -
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


NOTICE: 

This message contains privileged and confidential information intended 
only for the person or entity to which it is addressed. 
Any review, retransmission, dissemination, copy or other use of, or 
taking of any action in reliance upon this information by persons or 
entities other than the intended recipient, is prohibited. 

If you received this message in error, please notify the sender 
immediately by e-mail, facsimile or telephone and thereafter delete the 
material from any computer. 

The New Africa Capital Group, its subsidiaries or associates do not 
accept liability for any personal views expressed in this message.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Struts security

[Nick Faiz]

Is there a reason not to use declarative security in the deployment
descriptor for role based authorisation for each resource? 

I'll be heading down this track soon and that's what I had wanted to do.

Nick Faiz

-Original Message-
From: muzammil shahbaz [mailto:[EMAIL PROTECTED] 
Sent: Thursday, 9 October 2003 6:11 PM
To: zzStruts Users Mailing List
Subject: RE: Struts security

Exactly!!!

U got the point. That's what I use to handle security issues.

Keep it up :-)

--
From:  Stefan Trcko [SMTP:[EMAIL PROTECTED]
Sent:  Thursday, October 09, 2003 12:57 PM
To:  [EMAIL PROTECTED]
Cc:  Struts Users Mailing List
    Subject:  Re: Struts security

<>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Struts security

[Andrew Hill]

2) During login-action fill a java bean with all actions a user can
perform


This can be problematic if your requirements are that when the
admin/superuser/bofh modifies the users permissions such changes must be
reflected immediately (ie: without that user having to log out and log back
in again).

(I suppose you could store that bean in servlet rather than session scope
and so update it when the admin changes permissions, but that wouldnt work
in a distributed env)

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, 9 October 2003 17:48
To: Struts Users Mailing List
Subject: Re: Struts security



Hello,

sorry, my english is not so good, perhaps I haven'g got the point yet
(and I'm new to struts so I don't know if it works).

Every time a user clicks a link ( => call an action ) you want to check
if the user has the permissions for this action and if the user has not
the permission show an error page? In my opinion that solution is not so
good, especially for users :)

Perhaps you can do the following:
1) Code a login-Page
2) During login-action fill a java bean with all actions a user can
perform
3) Build your view based on this java bean

So users only see the actions they are allowed to perform.

Regards,
Markus


Stefan Trcko <[EMAIL PROTECTED]> schrieb am 09.10.2003,
09:57:13:
> Where do you store user rights (which actions user can perform).
> I think of storing user rights and actions which he can perform in
> the database and then in every action class perform SQL with username
(from
> session)
> and current performed action. If SQL return that user can perform this
> action
> then forward to success page else to error page.
>
> What do you think? Is this good solution?
>
> Regards
> Stefan
>
>
> - Original Message -
> From: "muzammil shahbaz"
> To: "zzStruts Users Mailing List"
> Sent: Thursday, October 09, 2003 9:43 AM
> Subject: RE: Struts security
>
>
> > This can simple be done by authorizing user in each action class. We
> > have request & session attributes which may be helpful for checking the
> > current state of user.
> >
> > Before doing any processing, first of all, process user authentication
> > and if finds any restriction then forward the action to appropriate
> > error page.
> >
> > Regards,
> > MMS
> >
> > --
> > From:  Stefan Trcko [SMTP:[EMAIL PROTECTED]
> > Sent:  Thursday, October 09, 2003 12:29 PM
> > To:  Struts Users Mailing List
> > Subject:  Struts security
> >
> > Hello
> >
> > I want to implement security in my struts web portal, so
> > that I can restrict users which actions they can
> > perform.
> >
> > Has anybody already worked on this kind of security in
> > Struts?
> >
> > Thanks in advice
> > Stefan
> >
> >
> >
> >
> >
> > -
> > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> >
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Struts security

[markus]

Hello,

sorry, my english is not so good, perhaps I haven'g got the point yet
(and I'm new to struts so I don't know if it works).

Every time a user clicks a link ( => call an action ) you want to check
if the user has the permissions for this action and if the user has not
the permission show an error page? In my opinion that solution is not so
good, especially for users :)

Perhaps you can do the following:
1) Code a login-Page
2) During login-action fill a java bean with all actions a user can
perform
3) Build your view based on this java bean

So users only see the actions they are allowed to perform.

Regards,
Markus


Stefan Trcko <[EMAIL PROTECTED]> schrieb am 09.10.2003,
09:57:13:
> Where do you store user rights (which actions user can perform).
> I think of storing user rights and actions which he can perform in
> the database and then in every action class perform SQL with username (from
> session)
> and current performed action. If SQL return that user can perform this
> action
> then forward to success page else to error page.
> 
> What do you think? Is this good solution?
> 
> Regards
> Stefan
> 
> 
> - Original Message - 
> From: "muzammil shahbaz" 
> To: "zzStruts Users Mailing List" 
> Sent: Thursday, October 09, 2003 9:43 AM
> Subject: RE: Struts security
> 
> 
> > This can simple be done by authorizing user in each action class. We
> > have request & session attributes which may be helpful for checking the
> > current state of user.
> >
> > Before doing any processing, first of all, process user authentication
> > and if finds any restriction then forward the action to appropriate
> > error page.
> >
> > Regards,
> > MMS
> >
> > --
> > From:  Stefan Trcko [SMTP:[EMAIL PROTECTED]
> > Sent:  Thursday, October 09, 2003 12:29 PM
> > To:  Struts Users Mailing List
> > Subject:  Struts security
> >
> > Hello
> >
> > I want to implement security in my struts web portal, so
> > that I can restrict users which actions they can
> > perform.
> >
> > Has anybody already worked on this kind of security in
> > Struts?
> >
> > Thanks in advice
> > Stefan
> >
> >
> >
> >
> >
> > -
> > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> >
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Struts security

[muzammil shahbaz]

Exactly!!!

U got the point. That's what I use to handle security issues.

Keep it up :-)

--
From:  Stefan Trcko [SMTP:[EMAIL PROTECTED]
Sent:  Thursday, October 09, 2003 12:57 PM
To:  [EMAIL PROTECTED]
Cc:  Struts Users Mailing List
Subject:  Re: Struts security

<>

Re: Struts security

[Stefan Trcko]

Where do you store user rights (which actions user can perform).
I think of storing user rights and actions which he can perform in
the database and then in every action class perform SQL with username (from
session)
and current performed action. If SQL return that user can perform this
action
then forward to success page else to error page.

What do you think? Is this good solution?

Regards
Stefan


- Original Message - 
From: "muzammil shahbaz" <[EMAIL PROTECTED]>
To: "zzStruts Users Mailing List" <[EMAIL PROTECTED]>
Sent: Thursday, October 09, 2003 9:43 AM
Subject: RE: Struts security


> This can simple be done by authorizing user in each action class. We
> have request & session attributes which may be helpful for checking the
> current state of user.
>
> Before doing any processing, first of all, process user authentication
> and if finds any restriction then forward the action to appropriate
> error page.
>
> Regards,
> MMS
>
> --
> From:  Stefan Trcko [SMTP:[EMAIL PROTECTED]
> Sent:  Thursday, October 09, 2003 12:29 PM
> To:  Struts Users Mailing List
> Subject:  Struts security
>
> Hello
>
> I want to implement security in my struts web portal, so
> that I can restrict users which actions they can
> perform.
>
> Has anybody already worked on this kind of security in
> Struts?
>
> Thanks in advice
> Stefan
>
>
>
>
>
> -
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Struts security

[Prashanth.S]

http://www.informit.com/isapi/product_id~%7B1841ABCB-E1B7-445F-A722-1378C58AD8E0%7D/content/index.asp

muzammil shahbaz <[EMAIL PROTECTED]> wrote:This can simple be done by authorizing user 
in each action class. We
have request & session attributes which may be helpful for checking the
current state of user.

Before doing any processing, first of all, process user authentication
and if finds any restriction then forward the action to appropriate
error page.

Regards,
MMS

--
From: Stefan Trcko [SMTP:[EMAIL PROTECTED]
Sent: Thursday, October 09, 2003 12:29 PM
To: Struts Users Mailing List
Subject: Struts security

Hello

I want to implement security in my struts web portal, so
that I can restrict users which actions they can
perform.

Has anybody already worked on this kind of security in
Struts?

Thanks in advice
Stefan





-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]



-
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search

RE: Struts security

[muzammil shahbaz]

This can simple be done by authorizing user in each action class. We
have request & session attributes which may be helpful for checking the
current state of user.

Before doing any processing, first of all, process user authentication
and if finds any restriction then forward the action to appropriate
error page.

Regards,
MMS

--
From:  Stefan Trcko [SMTP:[EMAIL PROTECTED]
Sent:  Thursday, October 09, 2003 12:29 PM
To:  Struts Users Mailing List
Subject:  Struts security

Hello

I want to implement security in my struts web portal, so
that I can restrict users which actions they can
perform.

Has anybody already worked on this kind of security in
Struts?

Thanks in advice
Stefan





-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]

Struts security

[Stefan Trcko]

Hello

I want to implement security in my struts web portal, so
that I can restrict users which actions they can perform.

Has anybody already worked on this kind of security in Struts?

Thanks in advice
Stefan




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Struts Security

[Eyunni Srilatha]

 HI,
I want to password protect a folder in Struts.I have many  folders 
under jsp
like 'test','general','report'.I want to protect only the 'report' 
folder.I have written this code in web.xml but its blocking all my 
folders from accessing .
I want only report folder to be password protected. can anybosy 
plez tell me this.

  
 SecureReportJSP
 Protect the reports
 /report/* //I have give lke 
this
  /jsp/report/login.jsp //and 
laso like this
 GET
 POST
  

 

 
Thanx in advance.Plez help me in this

___
Meet your old school or college friends from
1 Million + database...
Click here to reunite www.batchmates.com/rediff.asp


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Login with Struts; Security Bug?

[frazz]

Obviously  It's posted again when you reload the page, but I don't think
this is the way it has to be. Why does the browser post information
(Password)
it should not be aware any more after the Login-request has been
processesed?
Anyway, I am interested in a solution how to disable this behaviour.
Any  ideas?

frazz

> -Original Message- 
>MIME-Version: 1.0
>Content-Type: text/plain;
>   charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
>Subject: RE: Problem: Login with Struts; Security Bug?
>Date: Tue, 14 Jan 2003 10:19:10 -0600
>Message-ID:
<[EMAIL PROTECTED]>
>From: "Durham David Cntr 805CSS/SCBE" <[EMAIL PROTECTED]>
>To: "Struts Users Mailing List" <[EMAIL PROTECTED]>

>You are probably reposting your username and password to logon.do.  =
>Essentially logging on twice.




-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Problem: Login with Struts; Security Bug?

[Durham David Cntr 805CSS/SCBE]

You are probably reposting your username and password to logon.do.  Essentially 
logging on twice.



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 14, 2003 9:27 AM
> To: [EMAIL PROTECTED]
> Subject: Problem: Login with Struts; Security Bug?
> 
> 
> Hi,
> I'm  using Struts 1.0.2  and experienced a unwanted behavior.
> I tested it with the struts-example coming with the binaries 
> and it's the
> same.
> I'll explain it with the example so you can test it for yourself.
> 
> 1.  Ok, first you need a registered user. If you haven't 
> registered one do
> so.
> 2. Enter http://localhost:8080/struts-example/index.jsp into 
> your browser.
> (whatever portnumber)
> 3. Click "Log on to the MailReader Demonstration Application"
> 4. Enter username and password. Click Login.
> 5. Click"Log off MailReader Demonstration Application"
> 6. Click "Back" in your Browser
> 7. Click "Edit your user registration profile"
> -> you are  redirected to the login site. OK! You logged 
> off, thats the
> way it should be.
> 8. Click "Back" in your browser as many times as you need to 
> get back to the
> main Menu
> You should be here:
>
> "http://localhost:8080/struts-example/logon.do;jsessionid=ssf0t8t181";
> (whatever sessionid)
> 9. Click Reload in your Browser
> 10. Click Link "Edit your user registration profile"  
> What is this??? You are in again. You can edit your 
> profile ! After the
> logout you performed and
> without to login again. It's somekind done automatically.
>I don't want that
>I logout and the next person using  my computer can log 
> into my account
> by reloading
>an old site from the browser-cache?.
>Is there a way to prevent it?? If have tried severel 
> mata-tags in the
> html for no-caching
>but nothing helps.
>Maybe the  browser is caching the userid and the password
>Is the only solution to close the window or to close the 
> whole browser?
> 
> Thanks for your help!!
> Greets frazz
> 
> -- 
>   
> 
> +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
> NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
> 
> 
> --
> To unsubscribe, e-mail:   
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Problem: Login with Struts; Security Bug?

[frazz]

Hi,
I'm  using Struts 1.0.2  and experienced a unwanted behavior.
I tested it with the struts-example coming with the binaries and it's the
same.
I'll explain it with the example so you can test it for yourself.

1.  Ok, first you need a registered user. If you haven't registered one do
so.
2. Enter http://localhost:8080/struts-example/index.jsp into your browser.
(whatever portnumber)
3. Click "Log on to the MailReader Demonstration Application"
4. Enter username and password. Click Login.
5. Click"Log off MailReader Demonstration Application"
6. Click "Back" in your Browser
7. Click "Edit your user registration profile"
-> you are  redirected to the login site. OK! You logged off, thats the
way it should be.
8. Click "Back" in your browser as many times as you need to get back to the
main Menu
You should be here:
   "http://localhost:8080/struts-example/logon.do;jsessionid=ssf0t8t181";
(whatever sessionid)
9. Click Reload in your Browser
10. Click Link "Edit your user registration profile"  
What is this??? You are in again. You can edit your profile ! After the
logout you performed and
without to login again. It's somekind done automatically.
   I don't want that
   I logout and the next person using  my computer can log into my account
by reloading
   an old site from the browser-cache?.
   Is there a way to prevent it?? If have tried severel mata-tags in the
html for no-caching
   but nothing helps.
   Maybe the  browser is caching the userid and the password
   Is the only solution to close the window or to close the whole browser?

Thanks for your help!!
Greets frazz

-- 
  

+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: Inside WEB-INF or outside WEB-INF? Struts security. SWF FILES

[Craig R. McClanahan]

On Sat, 20 Apr 2002, Micael Padraig Og mac Grene wrote:

> Date: Sat, 20 Apr 2002 15:25:15 -0700
> From: Micael Padraig Og mac Grene <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: Struts Users Mailing List <[EMAIL PROTECTED]>
> Subject: RE: Inside WEB-INF or outside WEB-INF? Struts security. SWF
> FILES
>
> You seem to be suggesting, Craig, that you find putting them outside
> WEB-INF should be fine.  Is that a correct reading of your comments?  If
> so, would you please expand on that?  I am dealing with some relatively
> complex issues of reference between pages, including swf template files
> with arrays accessing other swf photo files, without, of course, including
> forwarding mechanisms available to struts.  I would like to do this inside
> of WEB-INF by instinct, thinking it would enhance security, but that may
> not be an option?  Thanks for any help on this.
>

It depends on what you mean by "enhance security".

The only thing different about putting JSP pages inside /WEB-INF versus
outside is whether a client can directly request one of your pages with a
URL.  For example, this URL will work (assuming there's a page there):

  http://localhost:8080/myapp/foo.jsp

whereas this one will never work from a browser:

  http://localhost:8080/myapp/WEB-INF/foo.jsp

If you don't have users who do this sort of thing (or you don't care if
they do or not, because the app won't work correctly for them anyway),
then there is no difference in where the JSP pages are located.

Craig


> At 01:59 PM 4/20/02 -0700, you wrote:
>
>
> >On Sat, 20 Apr 2002, Micael Padraig Og mac Grene wrote:
> >
> > > Date: Sat, 20 Apr 2002 00:39:53 -0700
> > > From: Micael Padraig Og mac Grene <[EMAIL PROTECTED]>
> > > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> > > To: Struts Users Mailing List <[EMAIL PROTECTED]>
> > > Subject: RE: Inside WEB-INF or outside WEB-INF? Struts security.
> > >
> > > Exactly!  So, why do the typical examples put the jsp pages outside?
> > >
> >
> >The requirement that JSP pages work from inside /WEB-INF is not
> >particularly clear in the Servlet 2.2 and JSP 1.1 specs, and in fact they
> >do not work in some containers.  To minimize startup problems, that is why
> >the Struts examples have them outside.
> >
> >Additionally, some Struts-based webapps do direct links from one JSP page
> >to another, when there is no need for any processing logic in between.
> >This won't work if they are inside.
> >
> >Finally, on't forget that, even if you put your own JSP pages inside the
> >/WEB-INF directory, you'll need to leave the app home page (usually
> >index.jsp) outside so that it is accessible.
> >
> >Craig
> >
> >
> >--
> >To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Inside WEB-INF or outside WEB-INF? Struts security. SWF FILES

[Micael Padraig Og mac Grene]

You seem to be suggesting, Craig, that you find putting them outside 
WEB-INF should be fine.  Is that a correct reading of your comments?  If 
so, would you please expand on that?  I am dealing with some relatively 
complex issues of reference between pages, including swf template files 
with arrays accessing other swf photo files, without, of course, including 
forwarding mechanisms available to struts.  I would like to do this inside 
of WEB-INF by instinct, thinking it would enhance security, but that may 
not be an option?  Thanks for any help on this.

At 01:59 PM 4/20/02 -0700, you wrote:


>On Sat, 20 Apr 2002, Micael Padraig Og mac Grene wrote:
>
> > Date: Sat, 20 Apr 2002 00:39:53 -0700
> > From: Micael Padraig Og mac Grene <[EMAIL PROTECTED]>
> > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> > To: Struts Users Mailing List <[EMAIL PROTECTED]>
> > Subject: RE: Inside WEB-INF or outside WEB-INF? Struts security.
> >
> > Exactly!  So, why do the typical examples put the jsp pages outside?
> >
>
>The requirement that JSP pages work from inside /WEB-INF is not
>particularly clear in the Servlet 2.2 and JSP 1.1 specs, and in fact they
>do not work in some containers.  To minimize startup problems, that is why
>the Struts examples have them outside.
>
>Additionally, some Struts-based webapps do direct links from one JSP page
>to another, when there is no need for any processing logic in between.
>This won't work if they are inside.
>
>Finally, on't forget that, even if you put your own JSP pages inside the
>/WEB-INF directory, you'll need to leave the app home page (usually
>index.jsp) outside so that it is accessible.
>
>Craig
>
>
>--
>To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
>For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Inside WEB-INF or outside WEB-INF? Struts security.

[Craig R. McClanahan]

On Sat, 20 Apr 2002, Micael Padraig Og mac Grene wrote:

> Date: Sat, 20 Apr 2002 00:39:53 -0700
> From: Micael Padraig Og mac Grene <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: Struts Users Mailing List <[EMAIL PROTECTED]>
> Subject: RE: Inside WEB-INF or outside WEB-INF? Struts security.
>
> Exactly!  So, why do the typical examples put the jsp pages outside?
>

The requirement that JSP pages work from inside /WEB-INF is not
particularly clear in the Servlet 2.2 and JSP 1.1 specs, and in fact they
do not work in some containers.  To minimize startup problems, that is why
the Struts examples have them outside.

Additionally, some Struts-based webapps do direct links from one JSP page
to another, when there is no need for any processing logic in between.
This won't work if they are inside.

Finally, on't forget that, even if you put your own JSP pages inside the
/WEB-INF directory, you'll need to leave the app home page (usually
index.jsp) outside so that it is accessible.

Craig


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Inside WEB-INF or outside WEB-INF? Struts security.

[Jay sissom]

Because some web containers don't allow you to put jsp pages in WEB-INF.  
Tomcat does, but there is at least one other server out there that doesn't 
allow it.  It's been discussed on this list before so you can search the 
archives to find out which one.

If yours does and you want to put them in there, you can put them inside 
WEB-INF.

Jay

On Sat, 20 Apr 2002, Micael Padraig Og mac Grene wrote:

> Exactly!  So, why do the typical examples put the jsp pages outside?
> 
> At 02:43 PM 4/19/02 -0300, you wrote:
> >He means that it is more secure to place JSP files
> >inside the WEB-INF directory, since it does not allow
> >direct access to its files.
> >So, nobody would be able to access the JSP files
> >directly, and would then have to use the mapped URLs
> >in struts.config.xml, which is more secure.
> >
> >  --- "Galbreath, Mark" <[EMAIL PROTECTED]>
> >escreveu: > I thought I answered that.  If you have
> >nothing that
> > > can execute outside
> > > WEB-INF, what does security matter?
> > >
> > > Mark
> > >
> > > -Original Message-
> > > From: Micael Padraig Og mac Grene
> > > [mailto:[EMAIL PROTECTED]]
> > > Sent: Friday, April 19, 2002 12:32 PM
> > > To: Struts Users Mailing List
> > > Subject: RE: Inside WEB-INF or outside WEB-INF?
> > > Struts security.
> > >
> > >
> > > Thank you for the response, but it is not responsive
> > > to the question I
> > > asked, I think.  My question was:
> > >
> > >  Most sample apps have the jsp pages and
> > >  images outside the WEB-INF. Why? Isn't
> > >  it more secure inside?
> > >
> > > So, where the servlets are ultimately put is not the
> > > question, Mark.  The
> > > question is why do most sample applications put the
> > > jsp pages outside the
> > > WEB-INF file, even in Tomcat?  That works with
> > > Tomcat too.  You can put
> > > them in either place, but if you do it outside you
> > > use relative urls and if
> > > you put them inside you use the controller
> > > framework.  My question is why
> > > in the world would someone use struts and then put
> > > them outside the WEB-INF
> > > file?
> > >
> > > Thanks.
> > >
> > > Micael
> > >
> > >
> > > At 05:31 AM 4/19/02 -0400, you wrote:
> > > >All web containers MUST support files inside
> > > WEB-INF by specification.  As
> > > >for JSP files, some containers, like Tomcat,
> > > considers them controller
> > > >component Java classes (servlets) and places them
> > > in the WEB-INF/class
> > > >directory by default.  Others, like JRun, consider
> > > JSPs view components
> > > >(they are, if used "correctly") and place them in a
> > > "jsp" directory outside
> > > >WEB-INF.
> > > >
> > > >The point is, JSPs should never have executable
> > > Java scriplets in them.
> > > >Programmatic functionality should consist solely of
> > > tags, which hide the
> > > >implementation inside WEB-INF.
> > > >
> > > >Mark
> > > >
> > > >-Original Message-
> > > >From: Victor Hadianto [mailto:[EMAIL PROTECTED]]
> > > >Sent: Friday, April 19, 2002 3:18 AM
> > > >
> > > >On Fri, 19 Apr 2002 08:20, you wrote:
> > > > > Most sample apps have the jsp pages and images
> > > outside the
> > > > > WEB-INF.  Why?  Isn't it more secure inside?
> > > >
> > > >Not all web container supports files inside the
> > > WEB-INF. Tomcat does.
> > > >
> > > >--
> > > >To unsubscribe, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > >For additional commands, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > >
> > > --
> > > To unsubscribe, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > >
> >
> >=
> >
> >Frederico Ferro Schuh
> >[EMAIL PROTECTED]
> >ICQ: 20486081
> >
> 
>>___
> >Yahoo! Empregos
> >O trabalho dos seus sonhos pode estar aqui. Cadastre-se hoje mesmo no 
> >Yahoo! Empregos e tenha acesso a milhares de vagas abertas!
> >http://br.empregos.yahoo.com/
> >
> >--
> >To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
> 
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
> 


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Inside WEB-INF or outside WEB-INF? Struts security.

[Galbreath, Mark]

(a)  Because examples/tutorials don't care about security (and most of them
explicitly say something like, "you wouldn't want to do this in a real
application."), and

(b)  At the risk of repeating myself (for the third time), there is no
security risk if you JSP is used for presentation only and contains no
executable code.

What is there about this you are not getting?

Mark

-Original Message-
From: Micael Padraig Og mac Grene [mailto:[EMAIL PROTECTED]]
Sent: Saturday, April 20, 2002 3:40 AM
To: Struts Users Mailing List
Subject: RE: Inside WEB-INF or outside WEB-INF? Struts security.


Exactly!  So, why do the typical examples put the jsp pages outside?

At 02:43 PM 4/19/02 -0300, you wrote:
>He means that it is more secure to place JSP files
>inside the WEB-INF directory, since it does not allow
>direct access to its files.
>So, nobody would be able to access the JSP files
>directly, and would then have to use the mapped URLs
>in struts.config.xml, which is more secure.
>
>  --- "Galbreath, Mark" <[EMAIL PROTECTED]>
>escreveu: > I thought I answered that.  If you have
>nothing that
> > can execute outside
> > WEB-INF, what does security matter?
> >
> > Mark
> >
> > -Original Message-
> > From: Micael Padraig Og mac Grene
> > [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, April 19, 2002 12:32 PM
> > To: Struts Users Mailing List
> > Subject: RE: Inside WEB-INF or outside WEB-INF?
> > Struts security.
> >
> >
> > Thank you for the response, but it is not responsive
> > to the question I
> > asked, I think.  My question was:
> >
> >  Most sample apps have the jsp pages and
> >  images outside the WEB-INF. Why? Isn't
> >  it more secure inside?
> >
> > So, where the servlets are ultimately put is not the
> > question, Mark.  The
> > question is why do most sample applications put the
> > jsp pages outside the
> > WEB-INF file, even in Tomcat?  That works with
> > Tomcat too.  You can put
> > them in either place, but if you do it outside you
> > use relative urls and if
> > you put them inside you use the controller
> > framework.  My question is why
> > in the world would someone use struts and then put
> > them outside the WEB-INF
> > file?
> >
> > Thanks.
> >
> > Micael
> >
> >
> > At 05:31 AM 4/19/02 -0400, you wrote:
> > >All web containers MUST support files inside
> > WEB-INF by specification.  As
> > >for JSP files, some containers, like Tomcat,
> > considers them controller
> > >component Java classes (servlets) and places them
> > in the WEB-INF/class
> > >directory by default.  Others, like JRun, consider
> > JSPs view components
> > >(they are, if used "correctly") and place them in a
> > "jsp" directory outside
> > >WEB-INF.
> > >
> > >The point is, JSPs should never have executable
> > Java scriplets in them.
> > >Programmatic functionality should consist solely of
> > tags, which hide the
> > >implementation inside WEB-INF.
> > >
> > >Mark
> > >
> > >-Original Message-
> > >From: Victor Hadianto [mailto:[EMAIL PROTECTED]]
> > >Sent: Friday, April 19, 2002 3:18 AM
> > >
> > >On Fri, 19 Apr 2002 08:20, you wrote:
> > > > Most sample apps have the jsp pages and images
> > outside the
> > > > WEB-INF.  Why?  Isn't it more secure inside?
> > >
> > >Not all web container supports files inside the
> > WEB-INF. Tomcat does.
> > >
> > >--
> > >To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > >For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> >
>
>=
>
>Frederico Ferro Schuh
>[EMAIL PROTECTED]
>ICQ: 20486081
>
>___

>Yahoo! Empregos
>O trabalho dos seus sonhos pode estar aqui. Cadastre-se hoje mesmo no 
>Yahoo! Empregos e tenha acesso a milhares de vagas abertas!
>http://br.empregos.yahoo.com/
>
>--
>To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
>For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Inside WEB-INF or outside WEB-INF? Struts security.

[Micael Padraig Og mac Grene]

Exactly!  So, why do the typical examples put the jsp pages outside?

At 02:43 PM 4/19/02 -0300, you wrote:
>He means that it is more secure to place JSP files
>inside the WEB-INF directory, since it does not allow
>direct access to its files.
>So, nobody would be able to access the JSP files
>directly, and would then have to use the mapped URLs
>in struts.config.xml, which is more secure.
>
>  --- "Galbreath, Mark" <[EMAIL PROTECTED]>
>escreveu: > I thought I answered that.  If you have
>nothing that
> > can execute outside
> > WEB-INF, what does security matter?
> >
> > Mark
> >
> > -Original Message-
> > From: Micael Padraig Og mac Grene
> > [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, April 19, 2002 12:32 PM
> > To: Struts Users Mailing List
> > Subject: RE: Inside WEB-INF or outside WEB-INF?
> > Struts security.
> >
> >
> > Thank you for the response, but it is not responsive
> > to the question I
> > asked, I think.  My question was:
> >
> >  Most sample apps have the jsp pages and
> >  images outside the WEB-INF. Why? Isn't
> >  it more secure inside?
> >
> > So, where the servlets are ultimately put is not the
> > question, Mark.  The
> > question is why do most sample applications put the
> > jsp pages outside the
> > WEB-INF file, even in Tomcat?  That works with
> > Tomcat too.  You can put
> > them in either place, but if you do it outside you
> > use relative urls and if
> > you put them inside you use the controller
> > framework.  My question is why
> > in the world would someone use struts and then put
> > them outside the WEB-INF
> > file?
> >
> > Thanks.
> >
> > Micael
> >
> >
> > At 05:31 AM 4/19/02 -0400, you wrote:
> > >All web containers MUST support files inside
> > WEB-INF by specification.  As
> > >for JSP files, some containers, like Tomcat,
> > considers them controller
> > >component Java classes (servlets) and places them
> > in the WEB-INF/class
> > >directory by default.  Others, like JRun, consider
> > JSPs view components
> > >(they are, if used "correctly") and place them in a
> > "jsp" directory outside
> > >WEB-INF.
> > >
> > >The point is, JSPs should never have executable
> > Java scriplets in them.
> > >Programmatic functionality should consist solely of
> > tags, which hide the
> > >implementation inside WEB-INF.
> > >
> > >Mark
> > >
> > >-Original Message-
> > >From: Victor Hadianto [mailto:[EMAIL PROTECTED]]
> > >Sent: Friday, April 19, 2002 3:18 AM
> > >
> > >On Fri, 19 Apr 2002 08:20, you wrote:
> > > > Most sample apps have the jsp pages and images
> > outside the
> > > > WEB-INF.  Why?  Isn't it more secure inside?
> > >
> > >Not all web container supports files inside the
> > WEB-INF. Tomcat does.
> > >
> > >--
> > >To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > >For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> >
>
>=
>
>Frederico Ferro Schuh
>[EMAIL PROTECTED]
>ICQ: 20486081
>
>___
>Yahoo! Empregos
>O trabalho dos seus sonhos pode estar aqui. Cadastre-se hoje mesmo no 
>Yahoo! Empregos e tenha acesso a milhares de vagas abertas!
>http://br.empregos.yahoo.com/
>
>--
>To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
>For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Inside WEB-INF or outside WEB-INF? Struts security.

[Frederico Schuh]

He means that it is more secure to place JSP files
inside the WEB-INF directory, since it does not allow
direct access to its files.
So, nobody would be able to access the JSP files
directly, and would then have to use the mapped URLs
in struts.config.xml, which is more secure.

 --- "Galbreath, Mark" <[EMAIL PROTECTED]>
escreveu: > I thought I answered that.  If you have
nothing that
> can execute outside
> WEB-INF, what does security matter?
> 
> Mark
> 
> -Original Message-
> From: Micael Padraig Og mac Grene
> [mailto:[EMAIL PROTECTED]]
> Sent: Friday, April 19, 2002 12:32 PM
> To: Struts Users Mailing List
> Subject: RE: Inside WEB-INF or outside WEB-INF?
> Struts security.
> 
> 
> Thank you for the response, but it is not responsive
> to the question I 
> asked, I think.  My question was:
> 
>  Most sample apps have the jsp pages and
>  images outside the WEB-INF. Why? Isn't
>  it more secure inside?
> 
> So, where the servlets are ultimately put is not the
> question, Mark.  The 
> question is why do most sample applications put the
> jsp pages outside the 
> WEB-INF file, even in Tomcat?  That works with
> Tomcat too.  You can put 
> them in either place, but if you do it outside you
> use relative urls and if 
> you put them inside you use the controller
> framework.  My question is why 
> in the world would someone use struts and then put
> them outside the WEB-INF 
> file?
> 
> Thanks.
> 
> Micael
> 
> 
> At 05:31 AM 4/19/02 -0400, you wrote:
> >All web containers MUST support files inside
> WEB-INF by specification.  As
> >for JSP files, some containers, like Tomcat,
> considers them controller
> >component Java classes (servlets) and places them
> in the WEB-INF/class
> >directory by default.  Others, like JRun, consider
> JSPs view components
> >(they are, if used "correctly") and place them in a
> "jsp" directory outside
> >WEB-INF.
> >
> >The point is, JSPs should never have executable
> Java scriplets in them.
> >Programmatic functionality should consist solely of
> tags, which hide the
> >implementation inside WEB-INF.
> >
> >Mark
> >
> >-Original Message-
> >From: Victor Hadianto [mailto:[EMAIL PROTECTED]]
> >Sent: Friday, April 19, 2002 3:18 AM
> >
> >On Fri, 19 Apr 2002 08:20, you wrote:
> > > Most sample apps have the jsp pages and images
> outside the
> > > WEB-INF.  Why?  Isn't it more secure inside?
> >
> >Not all web container supports files inside the
> WEB-INF. Tomcat does.
> >
> >--
> >To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> 
> 
> 
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> 
> --
> To unsubscribe, e-mail:  
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>  

=

Frederico Ferro Schuh
[EMAIL PROTECTED]
ICQ: 20486081

___
Yahoo! Empregos
O trabalho dos seus sonhos pode estar aqui. Cadastre-se hoje mesmo no Yahoo! Empregos 
e tenha acesso a milhares de vagas abertas!
http://br.empregos.yahoo.com/

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Inside WEB-INF or outside WEB-INF? Struts security.

[Galbreath, Mark]

I thought I answered that.  If you have nothing that can execute outside
WEB-INF, what does security matter?

Mark

-Original Message-
From: Micael Padraig Og mac Grene [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 19, 2002 12:32 PM
To: Struts Users Mailing List
Subject: RE: Inside WEB-INF or outside WEB-INF? Struts security.


Thank you for the response, but it is not responsive to the question I 
asked, I think.  My question was:

 Most sample apps have the jsp pages and
 images outside the WEB-INF. Why? Isn't
 it more secure inside?

So, where the servlets are ultimately put is not the question, Mark.  The 
question is why do most sample applications put the jsp pages outside the 
WEB-INF file, even in Tomcat?  That works with Tomcat too.  You can put 
them in either place, but if you do it outside you use relative urls and if 
you put them inside you use the controller framework.  My question is why 
in the world would someone use struts and then put them outside the WEB-INF 
file?

Thanks.

Micael


At 05:31 AM 4/19/02 -0400, you wrote:
>All web containers MUST support files inside WEB-INF by specification.  As
>for JSP files, some containers, like Tomcat, considers them controller
>component Java classes (servlets) and places them in the WEB-INF/class
>directory by default.  Others, like JRun, consider JSPs view components
>(they are, if used "correctly") and place them in a "jsp" directory outside
>WEB-INF.
>
>The point is, JSPs should never have executable Java scriplets in them.
>Programmatic functionality should consist solely of tags, which hide the
>implementation inside WEB-INF.
>
>Mark
>
>-Original Message-
>From: Victor Hadianto [mailto:[EMAIL PROTECTED]]
>Sent: Friday, April 19, 2002 3:18 AM
>
>On Fri, 19 Apr 2002 08:20, you wrote:
> > Most sample apps have the jsp pages and images outside the
> > WEB-INF.  Why?  Isn't it more secure inside?
>
>Not all web container supports files inside the WEB-INF. Tomcat does.
>
>--
>To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
>For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Inside WEB-INF or outside WEB-INF? Struts security.

[Micael Padraig Og mac Grene]

Thank you for the response, but it is not responsive to the question I 
asked, I think.  My question was:

 Most sample apps have the jsp pages and
 images outside the WEB-INF. Why? Isn't
 it more secure inside?

So, where the servlets are ultimately put is not the question, Mark.  The 
question is why do most sample applications put the jsp pages outside the 
WEB-INF file, even in Tomcat?  That works with Tomcat too.  You can put 
them in either place, but if you do it outside you use relative urls and if 
you put them inside you use the controller framework.  My question is why 
in the world would someone use struts and then put them outside the WEB-INF 
file?

Thanks.

Micael


At 05:31 AM 4/19/02 -0400, you wrote:
>All web containers MUST support files inside WEB-INF by specification.  As
>for JSP files, some containers, like Tomcat, considers them controller
>component Java classes (servlets) and places them in the WEB-INF/class
>directory by default.  Others, like JRun, consider JSPs view components
>(they are, if used "correctly") and place them in a "jsp" directory outside
>WEB-INF.
>
>The point is, JSPs should never have executable Java scriplets in them.
>Programmatic functionality should consist solely of tags, which hide the
>implementation inside WEB-INF.
>
>Mark
>
>-Original Message-
>From: Victor Hadianto [mailto:[EMAIL PROTECTED]]
>Sent: Friday, April 19, 2002 3:18 AM
>
>On Fri, 19 Apr 2002 08:20, you wrote:
> > Most sample apps have the jsp pages and images outside the
> > WEB-INF.  Why?  Isn't it more secure inside?
>
>Not all web container supports files inside the WEB-INF. Tomcat does.
>
>--
>To unsubscribe, e-mail:   
>For additional commands, e-mail: 



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: Inside WEB-INF or ourside WEB-INF? Struts security.

[Leonardo Maciel]

Maybe because they are just samples.

-Original Message-
From: Micael Padraig Og mac Grene [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 18, 2002 6:21 PM
To: [EMAIL PROTECTED]
Subject: Inside WEB-INF or ourside WEB-INF? Struts security.


Most sample apps have the jsp pages and images outside the 
WEB-INF.  Why?  Isn't it more secure inside?



--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Inside WEB-INF or outside WEB-INF? Struts security.

[Galbreath, Mark]

All web containers MUST support files inside WEB-INF by specification.  As
for JSP files, some containers, like Tomcat, considers them controller
component Java classes (servlets) and places them in the WEB-INF/class
directory by default.  Others, like JRun, consider JSPs view components
(they are, if used "correctly") and place them in a "jsp" directory outside
WEB-INF.

The point is, JSPs should never have executable Java scriplets in them.
Programmatic functionality should consist solely of tags, which hide the
implementation inside WEB-INF.

Mark

-Original Message-
From: Victor Hadianto [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 19, 2002 3:18 AM

On Fri, 19 Apr 2002 08:20, you wrote:
> Most sample apps have the jsp pages and images outside the
> WEB-INF.  Why?  Isn't it more secure inside?

Not all web container supports files inside the WEB-INF. Tomcat does.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Inside WEB-INF or ourside WEB-INF? Struts security.

[Victor Hadianto]

On Fri, 19 Apr 2002 08:20, you wrote:
> Most sample apps have the jsp pages and images outside the
> WEB-INF.  Why?  Isn't it more secure inside?

Not all web container supports files inside the WEB-INF. Tomcat does.

-- 
Victor Hadianto
---
Blore's Razor: Given a choice between two theories, take the one which is 
funnier.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Inside WEB-INF or ourside WEB-INF? Struts security.

[Micael Padraig Og mac Grene]

Most sample apps have the jsp pages and images outside the 
WEB-INF.  Why?  Isn't it more secure inside?



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: struts security

[Phase Web and Multimedia]

Greetings,

I am nearing the completion of the code and it should be on sourceforge in
the next day or two. I will be following it up with documentation and
examples over the next week.

FYI - I am finishing up an overhaul on the code so that it fits into the
container managed security and yet provides the neccessary flexibility that
many of us need (i.e multiple login pages, prelogin capabilities, and
maintained logins).

I have accomplished this by creating a plugin of sorts. This plugin uses two
mechanisms a Filter Class and a Servlet Class. I have named the Servlet
Class "Security Controller Servlet" because it handles the validation
against the conatiner managed security by receiving the form calls and
preparing the container to validate. The filter works to identify protected
urls which are specified in the security.xml file.

Set up should be pretty easy:

Within your web.xml you set up a "bogus" security-constraint that uses the
"Security Controller Servlet" as it's error page and login page. Also, the
"SCS"(Security Controller Servlet) is set as the 403 error page (forbidden
error).

You also set up the SecurityInit class to initialize upon app start in the
web.xml.

Also set up is a security.xml file that defines various Security Constraints
that map to different login pages. So that if someone request
www.mydomain.com/shopping/ it takes them to the shopping login page versus
if someone request www.mydomain.com/admin/ it would take them to the admin
login page. Another convienience is that you can login from any page you
want to. You don't have to hit a secure url first. You can have a login/pass
on your homepage or even an auto login that uses cookies.

When you start your app up the security.xml file is read into an Application
scope bean that provides the info for the URL Filter class to screen
protected URLS.

The nice thing about this is that all of the programmatic methods are
available to do container based role checking.

This is good because many api's like "tiles" and "struts menu" are looking
to take advantage of these methods more and more.

I have not tested this code on other containers. It uses RequestDispatcher
and response.sendRedirect() classes and methods inconcert with a Filter. So,
behavior may be different on various containers. I am testing it now on
Tomcat 4.0.3. A Servlet 2.3 container is neccessary. Other dependencies are
commons-digester from Jakarta.

This security is not struts specific. But, is developed to fit into a struts
app.

Anyhow, I'm working hard to get this up and I hope it suits many peoples
needs. I am sure there are many other features that we could add to it. I
have been working in a vaccuum on this so when it is realeased things may
need to change. I look forward to hearing back from you.

Thanks,
Brandon Goodin
Phase Web and Multimedia
P (406) 862-2245
F (406) 862-0354
[EMAIL PROTECTED]
http://www.phase.ws


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 15, 2002 4:49 PM
To: [EMAIL PROTECTED]
Subject: struts security


Good evening Brandon,

I read of your work on the archives and I would like to check out your
solution.  I've been looking for a clear cut security solution but have not
found one yet.  Please
let me know when I can get a hold of your code and any examples you may
have.

Thanks much.




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: struts & security

[Martin Farrell]

Hi

I tend to use the container based log in structure, the only problem is that
i slightly remove yourself from the mvc setup in struts because i relay it
to a servlet to get the user details. An alternative im looking at is
expresso's access control which offers both group and user levels

martin

-Original Message-
From: Domen, Ken [mailto:[EMAIL PROTECTED]]
Sent: 17 January 2002 15:26
To: '[EMAIL PROTECTED]'
Subject: struts & security


In general, do people mostly use the webtier & ejb security
provided by J2EE?  Or is there another layer of security that
struts provides?

thanks.
ken



--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>


** For great Emap magazine subscription & gift offers visit 
http://www.emapmagazines.co.uk **


The information in this email is intended only for the addressee(s) named above.
Access to this email by anyone else is unauthorised.
If you are not the intended recipient of this message any disclosure, copying, 
distribution or any action taken in reliance on it is prohibited and may be unlawful. 

Emap plc and or its subsidiaries do not warrant that any attachments are free from 
viruses or other defects and accept no liability for any losses resulting from 
infected email transmissions.

Please note that any views expressed in this email may be those of the originator 
and do not necessarily reflect those of this organisation.



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

struts & security

[Domen, Ken]

In general, do people mostly use the webtier & ejb security
provided by J2EE?  Or is there another layer of security that
struts provides?

thanks.
ken



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Struts Security part of Struts 1.1

[Ted Husted]

To make that decision, we need a few people like yourself to implement
the code, and bring back their feedback. 

Any developer who feels strongly about adding existing code can bring it
up for a vote on the Dev list. If at leaste three of the Committers
agree (vote +1), then those Committers take responsiblity for adding it
to the nightly build. In general, people should only vote on a piece of
code when they have tried it for themselves.

-- Ted Husted, Husted dot Com, Fairport NY USA.
-- Custom Software ~ Technical Services.
-- Tel +1 716 737-3463
-- http://www.husted.com/about/struts/


Matt Raible wrote:
> 
> I am getting ready to implement Nic Hobb's role-based Actions at
> http://husted.com/about/struts/struts-security.htm.
> 
> I'm wondering if this is going to be incorporated into Struts 1.1?  I have
> "plugged-in" the validator framework and feel that my app is still using a
> solid struts release because this validation framework is being implemented in
> the next version.
> 
> However, if I implement role-based Actions, I have to download the struts
> source, re-build it with these new classes, and now it seems I have a
> "different" version of struts.jar.
> 
> Thanks,
> 
> Matt
> 
> __
> Do You Yahoo!?
> Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
> http://im.yahoo.com

Struts Security part of Struts 1.1

[Matt Raible]

I am getting ready to implement Nic Hobb's role-based Actions at
http://husted.com/about/struts/struts-security.htm.

I'm wondering if this is going to be incorporated into Struts 1.1?  I have
"plugged-in" the validator framework and feel that my app is still using a
solid struts release because this validation framework is being implemented in
the next version.

However, if I implement role-based Actions, I have to download the struts
source, re-build it with these new classes, and now it seems I have a
"different" version of struts.jar.

Thanks, 

Matt

__
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com