If you are using struts, why go back to a .jsp page? You should be going back to a .do page.
Since the .do is a struts action it will be able to get to your jsp page. "Todd Bryant" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I have need for every page in my web app to be secure. What I originally did > was extend the Action class to make a secure action class. The > SecureAction's perform method validates that the user is logged in and if > not, sends them to the login page. All actions in my app extend > SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, > WEB-INF/jsp. This way a user cannot directly access any jsp. They can only > be accessed through a forward in an action. This completely secures all > resources in my application. > > > > This is where I run into a problem. If I use the validate() method of the > formbean and it returns a non-empty ActionErrors object, then the request is > diverted to resource that is set as the "input", in this case a jsp. Because > of this, if a user were to put in some bogus field values in the url, she > would be able to cause the formbean to no validate and get the jsp to > display, bypassing the secure action. I can secure each jsp, but this is > redundant if I have them in the WEB-INF folder in the first place. I would > rather avoid this "fix". > > > > I know that overriding the default action class is a common way to secure > your app as I have read about it more than one place, however, I have never > seen this problem addressed. Has anyone else ran across this problem before > and come up with a solution? Thanks in advance. > > > > Todd Bryant > > Programmer/Analyst > > University of Nebraska Foundation > > 402-472-0107 > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]