I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application.
This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the "input", in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this "fix". I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107
