Following the same scenario, I don't face this issue...
Lionel
"Tissen" <[EMAIL PROTECTED]> a écrit dans le message de news: [EMAIL
PROTECTED]
Dear All,
I have ACL based Secuity in my application and the security works fine in all
the happy flows. But I found an issue while testing the security.
I have two roles in my application that are Administrator and User. I can
control the access level in the JSP using <ss:secure roles=""></ss:secure>
tag. Even I have used @secure annotation at method level.
(I refered,
http://www.stripesframework.org/display/stripes/Securing+Stripes+With+ACLs)
The senario I have tested is below.
1. Logged in as Administrator and executed a secure method.
2. Copy the URL from the browser after execution.
3. Open a new browser and login as a User.
4. After successful authentication past the URL that is copied from
Administrator user and press enter.
5. The Result is, The user can also do the same action which can only be
performed by administrator.
Ideally user should take to notAuthorized.jsp as I specified this in web.xml
but it is not happening
Did anybody encountered this issue previously? I am just thinking of writing
an Interceptor to check the roles just before executing the action. Is it a
right way to do this?
Could anybody suggest a solution to solve this issue?
Cheers,
Tissen Sebasian
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Stripes-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-users
