Ramadi, I can see your worries in the first scenario, in that if they type the URL with the username password parameters they may submit these credentials over http which could be intercepted. My two cents would be, if your user wishes to do this you can do nothing about the request being sent over the internet.
The second one however is not clear what your worry is. In my application there are plenty of forms they could attempt to post data to and get error messages because of missing data. If you want to restrict access to actions to certain users (And therefore anonymous users would not see the messages as they are not authenticated you should place roles against your action and this will only allow authenticated users to post to the action) My second point is similar to my thoughts on your first scenario; if your user really wants to post data through the address bar you can do nothing about it. However thinking about this a workaround could be to set a token before you display the form and then do your form validation in the action, after checking that the token submitted is valid. If it isn't don't show them the input page with messages but redirect them to a page telling them to take a hike. -----Original Message----- From: Ramadi Pearse [mailto:[EMAIL PROTECTED] Sent: 25 June 2005 05:20 To: user@struts.apache.org Subject: Form Security I have two questions. In thinking about security, there are two uses using Struts forms which I don't know how to solve. 1. Is it common practice in a web-application to force some actions only through a POST request? For instance, I have a login functionality on my website, and in my browser's address bar, I can type in the destination action with username and password attached as query parameters. I think this is kind of a security hole. I can also think of other actions in my application where GET requests are inappropriate. Is it possible for me to list out which actions I only want POST from? Is this a standard practice? Would I configure web.xml to do this, or hardcode a check for POST in my actions? 2. It is common practice, upon failed validation, for an action to return back to the same view and display error messages. This is also good usability because the user can see the errors next to the erroneous data. However, I found a security hole in this methodology: If I were to create a new session and invoke the action directly with the address bar, I am presented with error messages on a form whose output data is incomplete. It is because it is typical to display alot of business data with the form too, but this was never loaded because I didn't go through an edit action. What do I do here in these cases? Thanks! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
