Since a user always has the chance to directly type into his/her browser the URL of JSP or action, you probably really need to check in both places.
We're trying to avoid this with a Filter that does not allow users to directly request JSPs at all (i.e. all our links always go to actions and those internally forward to JSPs after they're done). This way we only need to check security in actions. (... just started using this approach; but it seems to work out fine) Btw., if all you want to check is that the user is logged in (no special access control requirements) you can completely do that in a Filter, i.e. you can get along without any checking in your JSPs and actions. I think there have been a couple of discussions about how to user filters for this in this mailing list, before. Marcus -----Original Message----- From: Dennis Doubleday [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 9:18 AM To: 'Struts Users Mailing List' Subject: Struts example - redundant login checking? In the example app distributed with Struts, it seems redundant to have "<app:checkLogon/>" at the start of every jsp and ALSO to check for login in every action class. Is that required, or just a belt-and-suspenders intentional duplication? -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
