Hi , Can you please be more specific. I did not get you. When i click the button and go to action it has sessionID. I will put it in form hidden value. But what happens when i paste the url in browse which goes to action with GET method and has session Id.
Can you please elaborate it more. Thanks, Raj Maurizio Cucchiara wrote: > > Hi, > you could obtain session id through session.getId() and put it inside > the form as hidden field, after you could verify the correctness. > > did I answer your question? > > Maurizio Cucchiara > > > > 2010/9/29 Orpu <[email protected]>: >> >> Hi All, >> >> My application is developed using struts framework. Where it takes user >> id >> and password at the time of login and goes to next page. I am using >> method="POST" when i am invoking action class as below. >> [b] >> <html:form action="/login.do" method="POST"> >> >> Basically i dont have any problem when i am logging after giving user id >> and >> password. >> >> But i am having security concerns when i am sending user id and password >> in >> url as below >> >> http://localhost:8080/SecurityTest/login.do?userId=sss&password=sss&step=Login >> >> With the use of above url in the browser is successfully taking me to the >> next page. >> >> Can any one please help me. How to protect application in this scenario. >> >> I tried to solve this issue by definig security - constriants in web.xml >> file as below >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>Protected Area with >> GET</web-resource-name> >> <url-pattern>*/login.do</url-pattern> >> <http-method>GET</http-method> >> </web-resource-collection> >> <auth-constraint/> >> </security-constraint> >> One more thing i should not put restrictions to other GET methods which >> were >> in the entire application. I should only restrict at the time of loging. >> >> I know the url-pattern that i am using may resolve this issue. But what >> is >> the correct pattern i have to use. >> >> Please help me. >> >> Thanks >> Raj >> -- >> View this message in context: >> http://old.nabble.com/Security-Issue-with-GET-method-tp29838122p29838122.html >> Sent from the Struts - Dev mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > > -- View this message in context: http://old.nabble.com/Security-Issue-with-GET-method-tp29838122p29845742.html Sent from the Struts - Dev mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
