> I think I must be missing something... I don't see how a
> user/hacker is going to gain access to the system if one
> is using security. If you route each request through a
> security check (realm) then you should be able to determine
> if the current user has access to the requested page/action.
>
> Am I missing something?
Not really. Except that a lot of applications may implement
a finer level of security for which the realm check is
inconvenient. For instance, I've got a query screen on an
inventory management app that allows a user to report on
transactions for inventory belonging to that user. The
administrator can run the query for any user in the system.
I don't want two separate screens for this capability.
My solution: The form has an "Owner" field that is only
visible for administrative users. The value is submitted
as an HTTP request parameter. In order to prevent non-
administrative users from submitting this parameter, I
simply don't read its value from the HTTP request if the
user doesn't have that right.
When thinking about security, it's much more important to
think in terms of HTTP requests than Struts forms. Assume
that the request can contain anything -- legal or not.
--
Curt Hagenlocher
[EMAIL PROTECTED]
