A good way of removing the bucketloads :-} from your Action classes is to
subclass ActionServlet and implement processActionPerform to do the logon
check.
--
Martin Cooper
----- Original Message -----
From: "Jim Richards" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 30, 2001 11:08 PM
Subject: Re: Potential Security Flaw in Struts MVC
>
> >> In the case at hand, nothing stops your user from logging on (so your
> >> security checks won't catch anything) and then hand typing a URL with
> >> query string parameters that maliciously or accidentally try to change
> >> things in the system. If the user is successful at doing this, it's
shame
> >> on the app developer for listening to request parameters that you
> >> shouldn't.
>
> This is a good point. I'm finding my Actions and Forms have bucketloads
> (and that's the technical term for it) of
>
> User user;
> if ((user = (User) request.getSession().getAttribute("user") == null)
> return mapping.getMapping("index");
>
> and on, and on and on. I'd like to try and find a good way to simplify
this
> as best that I can. (This example is required if the session times out,
> other examples appear when a browser auto-fills in a URL and the
> user submits it without the form fields. etc. Very bad karma in that
> case.)
>
> >> Of course, you need to take other defensive measures as well (like
using
> >> the transaction control support to avoid accidental or malicious
resubmits
> >> of the same data).
>
> I've seen this in the example application, is there any documentation on
> using it (as best as possible).
>
> Thanks.
>
>
> --
> Kumera - a new Open Source Content Management System
> for small to medium web sites written in Perl and using XML
> http://www.cyber4.org/kumera/index.html
