I have two questions. In thinking about security, there are two uses using Struts forms which I don't know how to solve.
1. Is it common practice in a web-application to force some actions only through a POST request? For instance, I have a login functionality on my website, and in my browser's address bar, I can type in the destination action with username and password attached as query parameters. I think this is kind of a security hole. I can also think of other actions in my application where GET requests are inappropriate. Is it possible for me to list out which actions I only want POST from? Is this a standard practice? Would I configure web.xml to do this, or hardcode a check for POST in my actions? 2. It is common practice, upon failed validation, for an action to return back to the same view and display error messages. This is also good usability because the user can see the errors next to the erroneous data. However, I found a security hole in this methodology: If I were to create a new session and invoke the action directly with the address bar, I am presented with error messages on a form whose output data is incomplete. It is because it is typical to display alot of business data with the form too, but this was never loaded because I didn't go through an edit action. What do I do here in these cases? Thanks! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
