Re: Fw: [HELP] How to restrict access to certain mapping action ???

Thu, 19 May 2005 20:09:54 -0700 

Hi Leon,

Would you like to give me any example of ur solution?

Anh Tuan
----- Original Message ----- From: "Pham Anh Tuan" <[EMAIL PROTECTED]>
To: "Struts Users Mailing List" <user@struts.apache.org>
Sent: Friday, May 20, 2005 9:37 AM
Subject: Re: Fw: [HELP] How to restrict access to certain mapping action ???


Hi all,

First thanks for all ur replies,
Second, the solution here is we will have a dynamic parameter which will automatically be created when 1 Session start and will be appended of the URL. Is this right :)?

We could hide above parameter in session scope?

Again, we found the solution!

Thank all you very much :)

Anh Tuan
----- Original Message ----- From: "Leon Rosenberg" <[EMAIL PROTECTED]>
To: "'Struts Users Mailing List'" <user@struts.apache.org>
Sent: Friday, May 20, 2005 5:05 AM
Subject: Re: Fw: [HELP] How to restrict access to certain mapping action ???


Aehm...

Be careful with this advice,
First: you will get no referer in any kind of popups.
Second: most proxies, anonymizer and anti-spy software removes referer
attribute from the header.

Maybe I'm a little late, but i had similar requirement some time ago -
protect
pages from being refered by "bad guys" directly, without customers index
page inbetween.
I solved by adding an encrypted paramter to the link, which among others,
contained a lifetime of the link and was generated at the index page on the
fly.
The action checked the if the lifetime of the link was expired (which would
happen if someone copy&pasted the link) and refused
further exucution. There are many libs available for encryption / decryption
of parameters, the one i used was the blowfishj.jar, available under:
http://blowfishj.sourceforge.net/

(http://sourceforge.net/project/showfiles.php?group_id=124761&package_id=136
373&release_id=288393)

Regards
Leon



-----Ursprüngliche Nachricht-----
Von: Catalin Croitoru [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 19. Mai 2005 23:50
An: Struts Users Mailing List
Betreff: Re: Fw: [HELP] How to restrict access to certain
mapping action ???

hi,

you can do like this:

String myReferer = request.getHeader("Referer");

if myReferer is nul this means the request was by tiping the
addres in the addres bar. if it's not null mean the user
click on a link on last page in the browser and myReferer is
the url of this page. for a full description of this look for
http description at header field definition. i don't have a
link on web for this but i think you can find easy with google.

i hope this solve your problem.

Catalin



On 5/19/05, Pham Anh Tuan <[EMAIL PROTECTED]> wrote:
> Thank Aladin,
>
> I'm Alibaba :D,
>
> So, the first thing I want to say here I don't know exactly
how to use
> <security-constraint>, maybe syntax.
>
> the second is I mean that, I don't want User do my action
by typing my
> action path directly on address bar, such as
> http://www.myweb/user/useraction.do, but I allow User do my
action by
> clicking on certain link on webpage, such as <html:link
> page="/user/useraction.do">do</html:link>
>
> any solution :(
>
> Anh Tuan
> ----- Original Message -----
> From: "Aladin Alaily" <[EMAIL PROTECTED]>
> To: "Struts Users Mailing List" <user@struts.apache.org>
> Sent: Thursday, May 19, 2005 9:49 AM
> Subject: Re: Fw: [HELP] How to restrict access to certain
mapping action ???
>
>
> > Hi Pham,
> >
> > I think this was mentioned earlier.  There are two things
you can do:
> >
> > 1) Use a filter with a url-map to your action
> >
> > 2) Use security constraints
> >
> > Aladin
> >
> >
> >
> > Pham Anh Tuan wrote:
> >>
> >> Hi all,
> >>
> >> This is the second time I post this message for help :(.
> >>
> >> I don't know how to restrict access to certain mapping action?
> >>
> >> Ex:
> >> I have action: /user/myaction.do
> >> and I don't want user directly access to above action.
> >>
> >> Could I use web.xml to solve this problem.
> >>
> >> something like:
> >>
> >> <security-constraint>
> >>
> >> <web-resource-collection>
> >>
> >> <web-resource-name>
> >>
> >> Restrict access to JSP pages
> >>
> >> </web-resource-name>
> >>
> >> <url-pattern>*.jsp</url-pattern>
> >>
> >> </web-resource-collection>
> >>
> >> <auth-constraint>
> >>
> >> <description>
> >>
> >> With no roles defined, no access granted
> >>
> >> </description>
> >>
> >> </auth-constraint>
> >>
> >> </security-constraint>
> >>
> >> Thanks for ur reading.
> >>
> >> Anh Tuan
> >>
> >>
> >>
> >>
-------------------------------------------------------------------
> >> -- To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >>
> >>
> >
> >
> >
--------------------------------------------------------------------
> > - To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to