Vana, I would consider the following:
1) Protect all the JSP by putting them in WEB-INF and have an action before every JSP (so a JSP cannot be called directly) 2) Extend the RequestProcessor processRoles method (same as what you are doing at the servlet filter level, but you have access to the mapping). 3) Maybe use a token if a user cannot directly go the Action 2 "Vano Beridze" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Thank you for the answers. > > I will be more specific. > > I now have the following implementation. It's not built with struts, but > is built merely from servlets. > > The application consists of a login page,main page and also bunch of > other pages. when a user wants to do something it chooses one menu item > from the main page, navigates through some pages and at the end is > returned to the main page. ( I think it's the usual scenario for many > web apps). The menu items are called "actions". > > So I have a list of actions. Each action defines the role (It's the > Oracle Database role) that a user (Oracle user) must have to access that > action. > > I also define which page is owned by which action. What that means. For > example. If I have a menu. > > Edit > | > |---Station > |---Country > > And I press on a Station link I might visit the following pages > Station1,Station2 and so on. > > I say that Station1,Station2 is owned by Station action. > > It's important to say that Station1 can be visited from another action. > > When a user is logged in I determine what actions it has based on his > role and presenting him only that menu items. But if a user is clever > he can bypass this limitation and type directly the link to another page > that he is forbidden to access to. > > I have a filter that is applied to all the servlets. This filter does > the following job. It checks the user session. Extracts the actions that > the user has. Determines what page user is trying to access. Determines > the action this page is owned by and checks if the user has that action. > > That's all. It's working fine. The only difficulty is that I need to > track the relation between actions and pages during development. > > My question is the following: > > Is there a better pattern that I can use and If yes Can you provide me > with more info? How can jaas help me in this situation? > > Thank you very much. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
