Hi all I am presently in the process of refactoring an existing struts application for a new client.
Because users will access the application following a redirect from the clients main web site where the user will log in to access 'myAccount' information, my client is understandably reluctant to have a secondary login to the struts application. This restriction prohibits me from using container managed security. As a consequence, I have to use application managed security. At present, I am considering the following: User is redirected from main web site to struts app with: http://<host>/StrutsApp/login.do?username=.... I propose that the redirect have (at least) the following parameters: [EMAIL PROTECTED] time=<long time in ms since midnight 1 January 1970> validation=<hash value calculated from username and time> I will know the time off the request so I can reject any that are say more than 24 hours old. I will also be able to calculate the validation hash value - (mechanism known only to me and main web site server.) I would welcome any comments on the above - is it at least moderately secure? Given that I can use the above (or a modification) to provide access to the struts app I can then associate individual users with access privileges and, the customer accounts they are entitled to view - but this raises another issue - are there any generally accepted patterns for enforcing security - 'Customer' users should only be able to view accounts to which they have been granted access - but 'Admin' users should have rights to all accounts. Previously, using container managed security, I have been able to make use of the user 'role' to manage some aspects of security - but can I do this with application managed security? Any advice, hints, tips would be most welcome. David Bolsover E: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]