I'd have each form check authorization. That way, if someone bookmarks a page (or guesses its URL) they won't bypass your security scheme. You could have a global exception set up in your configuration file that forwards to an "Access denied" page whenever one of your forms threw a UserNotAuthorized exception. (NOTE: I am just learning Struts and haven't even written my first application using it yet. I may not know what I am talking about.)
Cheers! -- Tracy -----Original Message----- From: Ryan Cuprak [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 11:53 To: [EMAIL PROTECTED] Subject: Security and Struts Hello, I was hoping someone would have some advice on securing a website using struts. I am developing a webapp that has to be secure (password protected) and which restricts access to different parts of the site depending on the roles a user possesses. The roles each user has are stored as XML in a database and may be configured by an administrator. Does struts have any built-in security capabilities that I could take advantage of? Any help/pointers would be much appreciated! My first guess would be to put all jsp pages in WEB-INF (use only ForwardAction to get to each page) and subclass ActionServlet with the logic for check authentication etc. However, will this cause any problems when it comes to a user book marking a page? Thanks, -Ryan Cuprak -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
