The only way you have of knowing that a form submission did not originate from a flow (Action, Form, Action) is to implement my suggestion of Tokens and validation within the Action. Actually it is probably not the only way but one I am recommending you think about it.
I am very impressed with the extent you wish to make your users happy, even if they hack around with your app. Do you have a lot of time spare ;) In quite a few applications I am sure there would be some serious npe if people attempted to post empty or incorrect data to all the servlets mappings. -----Original Message----- From: Ramadi Pearse [mailto:[EMAIL PROTECTED] Sent: 25 June 2005 14:58 To: Struts Users Mailing List Subject: RE: Form Security Mark, Thank you for responding. My focus with these questions is to prevent any unexpected behavior in the application. It is sometimes amazing how hackers are able to break an application! :) So, with regards to #2, the problem is really not about roles. These actions are already secure, but still that doesn't prevent people from hacking around and seeing what can be broken. But I've seen how my app looks if I try to save and I am brought to a page with no busines data!! Things look pretty goofy. Try it yourself. :) Any other opinions? Thanks! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
