If you are havin a application server, then you have the possibility to define security per url. so for example you can define for $ROOT/role1 and everything under this directory the security for a special role in web.xml. So you don't need to check on every page, this is handled now from the app server.
-----Original Message----- From: Dennis Doubleday [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 4:56 PM To: 'Struts Users Mailing List' Subject: Struts declarative security policy? (was RE: Struts example - redundant login checking?) Seems to me that neither the jsp nor the action is the correct place to enforce a security policy. It means both page designers and developers have to remember to do it every time. There ought to be (is there?) a mechanism for declaring a security policy which can be referenced in struts-config.xml; i.e. access control is just another property of an action mapping. > -----Original Message----- > From: Wittke Marcus-r32643 [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 10:44 AM > To: 'Struts Users Mailing List' > Subject: RE: Struts example - redundant login checking? > > > Since a user always has the chance to directly type into > his/her browser the URL of JSP or action, you probably really > need to check in both places. > > We're trying to avoid this with a Filter that does not allow > users to directly request JSPs at all (i.e. all our links > always go to actions and those internally forward to JSPs > after they're done). This way we only need to check security > in actions. (... just started using this approach; but it > seems to work out fine) -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
