That's my approach too - the JSPs will either break or do nothing if called directly.
Pau; > -----Original Message----- > From: David Suarez [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 26, 2004 2:21 PM > To: Struts Users Mailing List > Subject: RE: Question about authentication > > > I may be mis-reading the question but... why hide your jsp's from > direct access? The actions should definitely check for > security and it > makes sense there but if your jsp's populate information from > the form, > wouldn't the jsp be empty/unusable anyway?.. > > The approach above is what I have used. Only protect the > forms/actions. > Empty jsp's I don't care about. Let me know why you think > that this is > bad security practice. > > Regards...djsuarez > > -----Original Message----- > From: Jim Barrows [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 25, 2004 4:49 PM > To: Struts Users Mailing List > Subject: RE: Question about authentication > > > > > -----Original Message----- > > From: Steven Leija [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 25, 2004 2:15 PM > > To: Struts Users Mailing List > > Subject: RE: Question about authentication > > > > > > I'm currently running into the same situation. If you added > > to your web-inf directory. Do you just create a dir called > > "jsp"? and treat that as your root? Is there any sort of > > special path or configuration needed for this? I'm using > Tomcat 5.0. > > No special configuration needed you forward to > /WEB-INF/jsp/yourpage.jsp. Any Servlet or JSP can access anything in > WEB-INF. > The only thing to remember is you cannot type in the jsp from the > browser, you have to go through an action. Which is what > ForwardAction > is for :) > > If you don't like this, you could incorporate container > managed security > to restrict all *.jsp to a dummy role. > > > > > > Thanks, > > > > Steven > > > > > > > Hi > > > I am going to use custom tags for checking > > > access to Jsp, if no user/bean bean in session, > > > then direct to login page. > > > > > > And I am also going to check admin bean again > > > in Action before invoking life cycle methods > > > on business beans. > > > > > > Now am I over kill with authentication?? > > > > Way overkill. Put your jsps in WEB-INF, and no one can > > get at them. If your container is new enough to handle > > filters, use them instead. Otherwise, use a > > BaseSecurityAction that overrides execute, does the check and > > then calls whateverYouWantForYourActualExecutionCode( same > > params as execute). > > > > > > > > I mean, if all JSP pages that require user/admin > > > access has custom tag that check for access > > > at top, then i don't really need to check > > > for authentication in Action classess. > > > > You shouldn't allow access to your jsp pages. > > > > > > > > But it may also be good practice to double check > > > for whatever reason. > > > > > > Just curious what's the usual practice u ppl do. > > > > > > Thanks > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > ********************************************************************** Axios Email Confidentiality Footer Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet email messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my Company or employer unless otherwise indicated by an authorised representative independent of this message. WARNING: While Axios Systems Ltd takes steps to prevent computer viruses from being transmitted via electronic mail attachments we cannot guarantee that attachments do not contain computer virus code. You are therefore strongly advised to undertake anti virus checks prior to accessing the attachment to this electronic mail. Axios Systems Ltd grants no warranties regarding performance use or quality of any attachment and undertakes no liability for loss or damage howsoever caused. ********************************************************************** --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
