Re: Webapp Security?

Wed, 02 Jul 2003 12:31:08 -0700 

----- Original Message ----- 
From: "David Erickson" <[EMAIL PROTECTED]>
To: "Struts Mailing List" <[EMAIL PROTECTED]>
Sent: Wednesday, July 02, 2003 12:26 PM
Subject: Webapp Security?


> Just curious how others have gone about protecting the resouces within
their
> webapp.. in our personal setup we would like to control access to every
> resource if possible, we have our own custom login page that sets session
> variables, and pulls the data from the database.
>
> We can authenticate people with code in each of the actions, but nothing
is
> preventing someone from directly going to a jpg or a jsp file or anything
of
> the like.  What I thought about doing was subclassing the tomcat
connectors,
> the default, the jsp one, and the struts one and then authenticating each
> request.. but that adds a lot of overhead.  Anybody have any other good
> ideas?  We'd like to stick with just tomcat 4.1.24... no apache (no
> .htaccess).. what is everyone else implementing?

Preventing someone from directly going to the JSP pages for your web
applications is right thing to do. I just posted a summary with
the subject MVC, Security, and Redirect:

1) No one has direct access to any JSP pages in the
    web applications.
2) Anybody is able to invoke the generalized action
    controllers where the security checking is performed.

You could use a dummy role nobody to protect all of your application
oriented resources with the security constraints. If your
user accounts are stored in database, like our implementation,
you could map your users' id, group, ref, whatever to the role names
specified on the action mappings. Giving uers dynamic privileges is
also implemented in our codes.

> -David
>
>

Jing
Netspread Carrier
http://www.netspread.com

> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to