Problem with FormBean containing Lists of LabelValueBeans or something equivalent
Hi all, I have a problem mapping my form bean to a jsp that contains javascript to add html inputs dynamically. I already found out that i can use BeanUtils to add the input values to an ArrayList like this public void setProperty(int iIndex, String inputString) { this.propertyList.add(inputString); } The Problem is that there should be the chance to add whole groups of inputs dynamically. Inside these groups single inputs also should be reproducible. So i would have something like that in my DOM afterwards: input type=text name=teachtarget[0].name / textarea name=teachtarget[0].description rows=5 cols=10/textarea select name=teachtarget[0].priority optionhoch/option optionmittel/option optionniedrig/option /select input type=text name=teachtarget[0].abilities_0 / input type=text name=teachtarget[0].abilities_1 / input type=text name=teachtarget[0].abilities_2 / input type=text name=teachtarget[1].name //div textarea name=teachtarget[1].description rows=5 cols=10/textarea select name=teachtarget[1].priority optionhoch/option optionmittel/option optionniedrig/option /select input type=text name=teachtarget[1].abilities_0 / input type=text name=teachtarget[1].abilities_1 / input type=text name=teachtarget[1].abilities_2 / I thought about putting several LabelValueBeans or LazyDynaBeans to an ArrayList named teachtarget. When i use public void setTeachtarget(int index, LabelValueBean teachtargetProperty) { this.teachtarget.add(teachtargetProperty); } as the set method and than try to read the list, I always receive an empty list. I'm wondering if I'm on the right way, I don't have an idea if this should work or not. If someone has any other ideas to work with two dimensional arrays (or lists of LabelValueBeans) containing values of inputs that have been created by javascript I would really appreciate it... Thanks for help! Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: problem in formbean
Is this value a long or int, or whatever numeric value, And u r trying to enter characters in it then validation fails ? Cuz if so the Struts won't be able to populate the long with the string value U entered and in this case it'll keep it's old numeric value. In case of validating numeric fields always make them Strings in the form, To be able to keep the updated value after the validation fails. -Original Message- From: notify@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of prkumar_1234 Sent: Thursday, November 30, 2006 5:46 AM To: struts-user@jakarta.apache.org Subject: problem in formbean I got some problem in struts can you please help me. 1) in jsp iam displaying values from javabean in textboxes.(i can change these values) 2) when i submit with modified values , iam doing validation in formbean. 3) When validatio fails i formbean returning to same jsp but it is displaying old values not modified values can you give me some hint how to do this. thank you verymuch - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem in formbean
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 prkumar, prkumar_1234 wrote: 1) in jsp iam displaying values from javabean in textboxes.(i can change these values) 2) when i submit with modified values , iam doing validation in formbean. 3) When validatio fails i formbean returning to same jsp but it is displaying old values not modified values I'm guessing that your action mapping looks something like this: action path=/edit type=... forward name=success path=/edit.jsp / /action action path=/save type=... name=... validate=true input=/edit.do forward name=success path=... /action Note that the 'input' attribute is set to edit.do, which will re-run your action and probably re-fetch the original values. You need to make sure that your input points to the edit.jsp page. If that's not the problem, then do you have code in your JSP that fetches the original values from somewhere (like a database)? Or, do you use actions for that kind of thing? Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFbuOg9CaO5/Lv0PARAuBrAKCGsLR/OEPjH098CttCtlUqur/o5gCcDGkI Fc29gGupfpPFKvYAahhUIzc= =Gkpe -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem in formbean
Hi Prem, At the time of landing the page, you are showing some values. That values are taken from DB. Once error coming you are redirecting to the same page. but with the error value. This is your problem right? this can be easily solved. you are showing the values taken from formbean. At the time of error, the new value (error value) would be stored in the formbean. so that error value has been shown to you. show the value from DB. your problem will be solved. sorry for my english prkumar_1234 [EMAIL PROTECTED] wrote: I got some problem in struts can you please help me. 1) in jsp iam displaying values from javabean in textboxes.(i can change these values) 2) when i submit with modified values , iam doing validation in formbean. 3) When validatio fails i formbean returning to same jsp but it is displaying old values not modified values can you give me some hint how to do this. thank you verymuch - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] BY Thamizharasu S - Everyone is raving about the all-new Yahoo! Mail beta.
problem in formbean
I got some problem in struts can you please help me. 1) in jsp iam displaying values from javabean in textboxes.(i can change these values) 2) when i submit with modified values , iam doing validation in formbean. 3) When validatio fails i formbean returning to same jsp but it is displaying old values not modified values can you give me some hint how to do this. thank you verymuch - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem in formbean
Hi, I help moderate messages on this list. You are not subscribed. I let this message through because it is not spam, but you need to subscribe before any more can come through. Thanks. On 11/29/06, prkumar_1234 [EMAIL PROTECTED] wrote: I got some problem in struts can you please help me. 1) in jsp iam displaying values from javabean in textboxes.(i can change these values) 2) when i submit with modified values , iam doing validation in formbean. 3) When validatio fails i formbean returning to same jsp but it is displaying old values not modified values can you give me some hint how to do this. thank you verymuch - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- James Mitchell 678.910.8017
RE: Problem with Formbean validate method forwarding to input pag e
Excellent idea Ray. I just need to set the validate param in the web.xml for the action servlet to false. Then I am good. Thanks Ray, sometimes you just can't see the simple solutions when they are right in front of you. -Original Message- From: Ray Madigan [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 5:39 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: RE: Problem with Formbean validate method forwarding to input pag e Why don't you tell your action not to validate, and call validate yourself in your action. Seems like you will have all of the control you need. -Original Message- From: Paul Barry [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 3:18 PM To: Struts Users Mailing List Subject: Re: Problem with Formbean validate method forwarding to input pag e The form bean is populated by the RequestProcessor, but you can put your logic to validate the session where ever you want. The easiest way to understand it is to just look at the source code for org.apache.struts.action.RequestProcessor. It has a number of processXXX methods, one being processPreprocess. You might want to put your session validation there, which does it before the bean is instatiated, populated and validated and before processActionPerform is called. Todd Bryant wrote: Interesting. I have never looked at the request processor before. The main question I have is - is the formbean populated BEFORE the request processor runs or after? If the form bean is populated before the method you mention, then the request process will still be circumvented by the formbean. -Original Message- From: Paul Barry [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 4:47 PM To: Struts Users Mailing List Subject: Re: Problem with Formbean validate method forwarding to input page Maybe you should be handling your security in the request processor. Have a method like this: protected ActionForward processActionPerform( HttpServletRequest request, HttpServletResponse response, Action action, ActionForm form, ActionMapping mapping) throws IOException, ServletException { try { validSession(request); return (action.execute(mapping, form, request, response)); } catch (SecurityException e) { return (processException(request, response,e, form, mapping)); } } Where validateSession throws a SecurityException if the user is not logged in and processException knows where to send the user to log in. There are different ways to do it, but the basic principle is to authenticate the user's session before the Action executes, so you don't have to worry about that in the Action. Todd Bryant wrote: That is a good suggestion, and I had thought of that, but the problem is that a user would have to go from the error page back to the page they were on. This would make it prohibitively difficult to interact with this particular app (too many clicks). -Original Message- From: Paul Barry [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 4:07 PM To: Struts Users Mailing List Subject: Re: Problem with Formbean validate method forwarding to input page Make your input action an error page, which just has the error and no sensitive data and make a success forward that you only send the user to if everything checks out. Todd Bryant wrote: I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application. This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the input, in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this fix. I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107 - To unsubscribe
Problem with Formbean validate method forwarding to input page
I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application. This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the input, in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this fix. I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107
Re: Problem with Formbean validate method forwarding to input page
If you are using struts, why go back to a .jsp page? You should be going back to a .do page. Since the .do is a struts action it will be able to get to your jsp page. Todd Bryant [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application. This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the input, in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this fix. I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with Formbean validate method forwarding to input page
Make your input action an error page, which just has the error and no sensitive data and make a success forward that you only send the user to if everything checks out. Todd Bryant wrote: I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application. This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the input, in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this fix. I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with Formbean validate method forwarding to input pag e
That is a good question. The problem is the way struts processes requests. The first thing struts does when receiving a request to an action is to fill in the formbean associated with the action. Then it runs the validate() method of the formbean. If the method returns a non-empty ActionErrors object, the request is forwarded to whatever is set as the input in the struts config. If I set the input to the action, it will request that action again, causing an infinite loop (requests to actions fill in the form bean first, validate runs, send back to action, repeat). Thinking just now, I would have to have an action for every jsp in my application (A forwarding action if you will). This action would do nothing but authenticate a user and then forward to the jsp. Then the jsp would submit to a 'business' action that forwards back to the same jsp again (this jsp has a form for user data AND displays info). I could set the input of the formbean to the forwarding action. This would auth a user, but would not cause a loop because the formbean would only be associated with the business bean. This plan sounds doable. I hope I made sense to anyone reading. If someone else has any suggestions I would appreciate them. -Original Message- From: Tin Pham [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 3:38 PM To: [EMAIL PROTECTED] Subject: Re: Problem with Formbean validate method forwarding to input page If you are using struts, why go back to a .jsp page? You should be going back to a .do page. Since the .do is a struts action it will be able to get to your jsp page. Todd Bryant [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] du... I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application. This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the input, in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this fix. I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with Formbean validate method forwarding to input pag e
That is a good suggestion, and I had thought of that, but the problem is that a user would have to go from the error page back to the page they were on. This would make it prohibitively difficult to interact with this particular app (too many clicks). -Original Message- From: Paul Barry [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 4:07 PM To: Struts Users Mailing List Subject: Re: Problem with Formbean validate method forwarding to input page Make your input action an error page, which just has the error and no sensitive data and make a success forward that you only send the user to if everything checks out. Todd Bryant wrote: I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application. This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the input, in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this fix. I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with Formbean validate method forwarding to input page
Maybe you should be handling your security in the request processor. Have a method like this: protected ActionForward processActionPerform( HttpServletRequest request, HttpServletResponse response, Action action, ActionForm form, ActionMapping mapping) throws IOException, ServletException { try { validSession(request); return (action.execute(mapping, form, request, response)); } catch (SecurityException e) { return (processException(request, response,e, form, mapping)); } } Where validateSession throws a SecurityException if the user is not logged in and processException knows where to send the user to log in. There are different ways to do it, but the basic principle is to authenticate the user's session before the Action executes, so you don't have to worry about that in the Action. Todd Bryant wrote: That is a good suggestion, and I had thought of that, but the problem is that a user would have to go from the error page back to the page they were on. This would make it prohibitively difficult to interact with this particular app (too many clicks). -Original Message- From: Paul Barry [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 4:07 PM To: Struts Users Mailing List Subject: Re: Problem with Formbean validate method forwarding to input page Make your input action an error page, which just has the error and no sensitive data and make a success forward that you only send the user to if everything checks out. Todd Bryant wrote: I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application. This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the input, in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this fix. I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with Formbean validate method forwarding to input pag e
Interesting. I have never looked at the request processor before. The main question I have is - is the formbean populated BEFORE the request processor runs or after? If the form bean is populated before the method you mention, then the request process will still be circumvented by the formbean. -Original Message- From: Paul Barry [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 4:47 PM To: Struts Users Mailing List Subject: Re: Problem with Formbean validate method forwarding to input page Maybe you should be handling your security in the request processor. Have a method like this: protected ActionForward processActionPerform( HttpServletRequest request, HttpServletResponse response, Action action, ActionForm form, ActionMapping mapping) throws IOException, ServletException { try { validSession(request); return (action.execute(mapping, form, request, response)); } catch (SecurityException e) { return (processException(request, response,e, form, mapping)); } } Where validateSession throws a SecurityException if the user is not logged in and processException knows where to send the user to log in. There are different ways to do it, but the basic principle is to authenticate the user's session before the Action executes, so you don't have to worry about that in the Action. Todd Bryant wrote: That is a good suggestion, and I had thought of that, but the problem is that a user would have to go from the error page back to the page they were on. This would make it prohibitively difficult to interact with this particular app (too many clicks). -Original Message- From: Paul Barry [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 4:07 PM To: Struts Users Mailing List Subject: Re: Problem with Formbean validate method forwarding to input page Make your input action an error page, which just has the error and no sensitive data and make a success forward that you only send the user to if everything checks out. Todd Bryant wrote: I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application. This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the input, in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this fix. I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with Formbean validate method forwarding to input pag e
Why don't you tell your action not to validate, and call validate yourself in your action. Seems like you will have all of the control you need. -Original Message- From: Paul Barry [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 3:18 PM To: Struts Users Mailing List Subject: Re: Problem with Formbean validate method forwarding to input pag e The form bean is populated by the RequestProcessor, but you can put your logic to validate the session where ever you want. The easiest way to understand it is to just look at the source code for org.apache.struts.action.RequestProcessor. It has a number of processXXX methods, one being processPreprocess. You might want to put your session validation there, which does it before the bean is instatiated, populated and validated and before processActionPerform is called. Todd Bryant wrote: Interesting. I have never looked at the request processor before. The main question I have is - is the formbean populated BEFORE the request processor runs or after? If the form bean is populated before the method you mention, then the request process will still be circumvented by the formbean. -Original Message- From: Paul Barry [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 4:47 PM To: Struts Users Mailing List Subject: Re: Problem with Formbean validate method forwarding to input page Maybe you should be handling your security in the request processor. Have a method like this: protected ActionForward processActionPerform( HttpServletRequest request, HttpServletResponse response, Action action, ActionForm form, ActionMapping mapping) throws IOException, ServletException { try { validSession(request); return (action.execute(mapping, form, request, response)); } catch (SecurityException e) { return (processException(request, response,e, form, mapping)); } } Where validateSession throws a SecurityException if the user is not logged in and processException knows where to send the user to log in. There are different ways to do it, but the basic principle is to authenticate the user's session before the Action executes, so you don't have to worry about that in the Action. Todd Bryant wrote: That is a good suggestion, and I had thought of that, but the problem is that a user would have to go from the error page back to the page they were on. This would make it prohibitively difficult to interact with this particular app (too many clicks). -Original Message- From: Paul Barry [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 4:07 PM To: Struts Users Mailing List Subject: Re: Problem with Formbean validate method forwarding to input page Make your input action an error page, which just has the error and no sensitive data and make a success forward that you only send the user to if everything checks out. Todd Bryant wrote: I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application. This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the input, in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this fix. I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED