Todd, You should use a Filter for authentication. That way, you can remove all of the logic from your actions and JSP's and handle it in one central place. It is also a good practice to put all of your JSP's under WEB-INF so they can't be accessed directly and to use actions to forward to your JSPs. Filters were recently discussed on this mailing list.
Regards, Richard --- Todd Bryant <[EMAIL PROTECTED]> wrote: > That is a good suggestion, and I had thought of > that, but the problem is > that a user would have to go from the error page > back to the page they were > on. This would make it prohibitively difficult to > interact with this > particular app (too many clicks). > > -----Original Message----- > From: Paul Barry [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 07, 2004 4:07 PM > To: Struts Users Mailing List > Subject: Re: Problem with Formbean validate method > forwarding to input page > > Make your input action an error page, which just has > the error and no > sensitive data and make a success forward that you > only send the user to > if everything checks out. > > Todd Bryant wrote: > > > I have need for every page in my web app to be > secure. What I originally > did > > was extend the Action class to make a secure > action class. The > > SecureAction's perform method validates that the > user is logged in and if > > not, sends them to the login page. All actions in > my app extend > > SecureAction. To protect my jsp's, I put them in a > subfolder of WEB-INF, > > WEB-INF/jsp. This way a user cannot directly > access any jsp. They can only > > be accessed through a forward in an action. This > completely secures all > > resources in my application. > > > > > > > > This is where I run into a problem. If I use the > validate() method of the > > formbean and it returns a non-empty ActionErrors > object, then the request > is > > diverted to resource that is set as the "input", > in this case a jsp. > Because > > of this, if a user were to put in some bogus field > values in the url, she > > would be able to cause the formbean to no validate > and get the jsp to > > display, bypassing the secure action. I can secure > each jsp, but this is > > redundant if I have them in the WEB-INF folder in > the first place. I would > > rather avoid this "fix". > > > > > > > > I know that overriding the default action class is > a common way to secure > > your app as I have read about it more than one > place, however, I have > never > > seen this problem addressed. Has anyone else ran > across this problem > before > > and come up with a solution? Thanks in advance. > > > > > > > > Todd Bryant > > > > Programmer/Analyst > > > > University of Nebraska Foundation > > > > 402-472-0107 > > > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
