On Thu, 3 Jul 2003, David Erickson wrote:
> Date: Thu, 3 Jul 2003 13:44:41 -0600 > From: David Erickson <[EMAIL PROTECTED]> > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]> > To: Struts Users Mailing List <[EMAIL PROTECTED]> > Subject: Re: Webapp Security? > > Yes this makes excellent sense. And this is basically along the lines of > what I think we may do, but I am wondering if you could just filter the > action itself using Filters before it even gets to struts, and if they dont > have permission to perform that action then it never even makes it to > struts? > Yep. > Also another question that has been burning in my mind that I havn't been > able to figure out, lets suppose we run a struts action it is successful so > its actionmapping forward is to test.jsp. When it forwards to test.jsp does > the tomcat server parse back through the web.xml to see what servlet is > supposed get that test.jsp, or does it do something else?? > Struts uses RequestDispatcher.forward() to deal with the ActionForward instance that is returned. Translating the context-relative path into a call to a particular servlet or JSP page does indeed go back through the servlet mappings you've defined in web.xml, the same way that the original request URL is mapped to a servlet or JSP page based on these mappings. One thing to note about this, in the context of the discussion on container managed security, is that security constraints are enforced ONLY on the original request from a client, not on RequestDispatcher calls. If the application uses RequestDispatcher, the container assumes that it knows what it is doing. > -David Craig --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]