Struts example - redundant login checking?
In the example app distributed with Struts, it seems redundant to have app:checkLogon/ at the start of every jsp and ALSO to check for login in every action class. Is that required, or just a belt-and-suspenders intentional duplication? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Struts example - redundant login checking?
Since a user always has the chance to directly type into his/her browser the URL of JSP or action, you probably really need to check in both places. We're trying to avoid this with a Filter that does not allow users to directly request JSPs at all (i.e. all our links always go to actions and those internally forward to JSPs after they're done). This way we only need to check security in actions. (... just started using this approach; but it seems to work out fine) Btw., if all you want to check is that the user is logged in (no special access control requirements) you can completely do that in a Filter, i.e. you can get along without any checking in your JSPs and actions. I think there have been a couple of discussions about how to user filters for this in this mailing list, before. Marcus -Original Message- From: Dennis Doubleday [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 9:18 AM To: 'Struts Users Mailing List' Subject: Struts example - redundant login checking? In the example app distributed with Struts, it seems redundant to have app:checkLogon/ at the start of every jsp and ALSO to check for login in every action class. Is that required, or just a belt-and-suspenders intentional duplication? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Struts declarative security policy? (was RE: Struts example - redundant login checking?)
Seems to me that neither the jsp nor the action is the correct place to enforce a security policy. It means both page designers and developers have to remember to do it every time. There ought to be (is there?) a mechanism for declaring a security policy which can be referenced in struts-config.xml; i.e. access control is just another property of an action mapping. -Original Message- From: Wittke Marcus-r32643 [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 10:44 AM To: 'Struts Users Mailing List' Subject: RE: Struts example - redundant login checking? Since a user always has the chance to directly type into his/her browser the URL of JSP or action, you probably really need to check in both places. We're trying to avoid this with a Filter that does not allow users to directly request JSPs at all (i.e. all our links always go to actions and those internally forward to JSPs after they're done). This way we only need to check security in actions. (... just started using this approach; but it seems to work out fine) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Struts example - redundant login checking?
Wittke Marcus-r32643 wrote: Since a user always has the chance to directly type into his/her browser the URL of JSP or action, you probably really need to check in both places. This is one of the motivations behind putting all of your .jsp pages above the WEB-INF directory. The servlet container does not allow requests to paths that are /context/WEB-INF/pages/foo.jsp. It does however allow forwarding to pages above WEB-INF thereby enforcing the rule of all requests going through the ActionServlet (controller) and having the login checked prior to getting access to the page. It's not difficult to do and it increases the security of the application. Rob We're trying to avoid this with a Filter that does not allow users to directly request JSPs at all (i.e. all our links always go to actions and those internally forward to JSPs after they're done). This way we only need to check security in actions. (... just started using this approach; but it seems to work out fine) Btw., if all you want to check is that the user is logged in (no special access control requirements) you can completely do that in a Filter, i.e. you can get along without any checking in your JSPs and actions. I think there have been a couple of discussions about how to user filters for this in this mailing list, before. Marcus -Original Message- From: Dennis Doubleday [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 9:18 AM To: 'Struts Users Mailing List' Subject: Struts example - redundant login checking? In the example app distributed with Struts, it seems redundant to have app:checkLogon/ at the start of every jsp and ALSO to check for login in every action class. Is that required, or just a belt-and-suspenders intentional duplication? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Struts declarative security policy? (was RE: Struts example - redundant login checking?)
If you are havin a application server, then you have the possibility to define security per url. so for example you can define for $ROOT/role1 and everything under this directory the security for a special role in web.xml. So you don't need to check on every page, this is handled now from the app server. -Original Message- From: Dennis Doubleday [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 4:56 PM To: 'Struts Users Mailing List' Subject: Struts declarative security policy? (was RE: Struts example - redundant login checking?) Seems to me that neither the jsp nor the action is the correct place to enforce a security policy. It means both page designers and developers have to remember to do it every time. There ought to be (is there?) a mechanism for declaring a security policy which can be referenced in struts-config.xml; i.e. access control is just another property of an action mapping. -Original Message- From: Wittke Marcus-r32643 [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 10:44 AM To: 'Struts Users Mailing List' Subject: RE: Struts example - redundant login checking? Since a user always has the chance to directly type into his/her browser the URL of JSP or action, you probably really need to check in both places. We're trying to avoid this with a Filter that does not allow users to directly request JSPs at all (i.e. all our links always go to actions and those internally forward to JSPs after they're done). This way we only need to check security in actions. (... just started using this approach; but it seems to work out fine) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
