How about using container managed security with tomcat's realms? It works great for me.
Here's an example app if you're interested: http://tinyurl.com/fuvq HTH, Matt -----Original Message----- From: David Erickson [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 11:27 AM To: Struts Mailing List Subject: Webapp Security? Just curious how others have gone about protecting the resouces within their webapp.. in our personal setup we would like to control access to every resource if possible, we have our own custom login page that sets session variables, and pulls the data from the database. We can authenticate people with code in each of the actions, but nothing is preventing someone from directly going to a jpg or a jsp file or anything of the like. What I thought about doing was subclassing the tomcat connectors, the default, the jsp one, and the struts one and then authenticating each request.. but that adds a lot of overhead. Anybody have any other good ideas? We'd like to stick with just tomcat 4.1.24... no apache (no .htaccess).. what is everyone else implementing? -David --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]