We use Spring Security (aka Acegi), but a simple Filter could do this too. On Fri, Aug 22, 2008 at 9:17 AM, <[EMAIL PROTECTED]> wrote: > > My web app uses the Velocity View Servlet with a mapping "*.vtl" (I use > .vtl in preference to .vm for my templates; .vm I reserve for VelociMacro > files). Users should be accessing the system with URLs with the pattern > "*.do", which maps to Struts. The Struts ActionForwards then reference > *.vtl URIs for the presentation step. All fairly straightforward, I think. > > The problem is, what's to stop a user typing in the name of one of my .vtl > templates directly into their browser address bar? (or maybe worse, > generating a POST request that contains all the context data so that it > appears to render correctly)? > > There must be a way to secure this. A Filter or Valve, maybe? (The webapp > will be deployed on Tomcat 5.0, 5.5 and possibly 6). What do people here > do? > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
