Seems to me that neither the jsp nor the action is the correct place to enforce a security policy. It means both page designers and developers have to remember to do it every time.
There ought to be (is there?) a mechanism for declaring a security policy which can be referenced in struts-config.xml; i.e. access control is just another property of an action mapping. > -----Original Message----- > From: Wittke Marcus-r32643 [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 10:44 AM > To: 'Struts Users Mailing List' > Subject: RE: Struts example - redundant login checking? > > > Since a user always has the chance to directly type into > his/her browser the URL of JSP or action, you probably really > need to check in both places. > > We're trying to avoid this with a Filter that does not allow > users to directly request JSPs at all (i.e. all our links > always go to actions and those internally forward to JSPs > after they're done). This way we only need to check security > in actions. (... just started using this approach; but it > seems to work out fine) -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>