On Tue, 30 Jul 2002, David Graham wrote:
> Date: Tue, 30 Jul 2002 16:03:22 -0600
> From: David Graham <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: RE: Security and Struts
>
> I've done it by using a custom tag on all the secured pages that checks the
> login but this isn't ideal. I could forget to put the tag in and I have to
> do it for every page.
>
The Struts example app includes a tag (<app:checkLogon>) for precisely
this kind of reason.
> If you let struts do it then you can't let people go to .jsp pages directly
> and I find this irritating at best.
>
Well, your opinion is not univeral -- there are many who are so adamant
about *not* allowing direct access to JSP pages that they put the pages
under WEB-INF (so the container will prevent direct access) :-.
> Should you only use struts for the webforms and not for public display
> pages? I've always been a bit confused by this. It seems that struts was
> designed for the forms stuff but not necessarily to sit in front of your
> whole app.
>
The right answer where security belongs is really the container -- besides
the fact that it is ahead of the application in the request processing
path, it can make sure that things are always done correctly. And, you
get to take advantage of other cool stuff like single sign on across
webapps.
If you insist on doing this yourself, the best technical approach is a
Filter, so that you can enforce your mechanism ahead of direct access to
JSP pages. This requires a Servlet 2.3 or later container.
Struts 1.0 and 1.1 require only Servlet 2.2, so this isn't yet an option
for the framework itself.
> Thanks,
> Dave
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
