4. put all jsps under WEB-INF so they are NOT accessable via url. always link urls to actions and forward to jsps. Make a simply forward action (the only line: return mapping.findForward("success"); ) for jsp which do not need any preprocessing
regards Leon On 1/19/06, David Thielen <[EMAIL PROTECTED]> wrote: > Hi; > > > > I have a page admin.jsp that if a user is not an admin, they should never > see. I can make the standard way to get there be admin.do but that just > invites a hacker to type in admin.jsp, so I still have to insure that > requests for admin.jsp are redirected for non admin users. > > > > Each page (jsp) and it's Action class know who is allowed in. So I would > like to handle this in one of these two places. But the only two solutions I > have come up with are: > > 1. A filter with all pages and who can access them in that one class - > dangerous because a new page can get added and the developer forgets to add > it to the authorization class. > 2. We have jsp pages that just do a check and redirect if the user is > not authorized. We then include the appropiate one at the top of each jsp > page. This works great if there are a small set of authorizations (this is > what I used before - every user was one of 3 types). However, it breaks down > for more than a couple of pre-defined authorization groups. > 3. All pages are accessed via preAction -> jsp -> submitAction. The > preAction sets a session attribute to the name of the jsp. The jsp page at > the top checks this attribute and if it is not it's name, it redirects to > the home page. As a session attribute, as soon as the user goes to another > preAction, they can't go back to the previous jsp. So it forces the > pre/jsp/submit ordering. The downside to this is the back button will be > limited to the jsp page that the global attribute is set to, not going back > further. > > > > Any other approaches? > > > > Thanks - dave > > > > > > David Thielen > > www.windwardreports.com > > 303-499-2544 > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]