I already have my own database driven security model. Once a user logon I already know his role. But the problem is that how do I make this security model to work with the container-managed model so I don't have to check every on single page.
Hai -----Original Message----- From: Eddie Bush [mailto:[EMAIL PROTECTED]] Sent: Monday, October 14, 2002 9:38 AM To: Struts Users Mailing List Subject: Re: The best practices regarding secure JSP and Action classes - setup container-managed authentication - as a server-configured service - as a filter (see securityfilter.sourceforge.net) - see your servlet container user guide for setup of non-filter-based solution - in your web.xml - declare the roles you will use - declare the URLs etc - see the servlet specification for how to configure this The web.xml config applies to the non-filter-based approach I *think*. See the filter's site for more information on how to configure that particular one. If you push your authentication/authorization up to the server level, you don't have to have "nasty hacks" in all of your protected JSPs. Just make the auth work and specify the mappings it holds true for. Other good references on this topic include Java Servlet Programming (Jason Hunter - O'Reilly) and Java Server Pages (Hans Bergsten - O'Reilly). There are probably other resources available that outline how to configure your deployment descriptor (web.xml) for this. Hoang, Hai wrote: >I want to secure the admin portion of my application from unauthorized >users. What is the best way to achieve this task? Should I include a >"CheckUser" tag on every jsp pages and call a "CheckUser" function on every >single action class? I don't want the user to just key in the direct url of >the jsp page or calling the action class directly. But doing this, I've to >go to the database twice on every action. > >Do you know a better way? > -- Eddie Bush -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> _________________________________________________________________________ Introducing the all new and improved continental.com. With a totally new personalized design, it's the best place to go. Before you go. Continental Airlines. Work Hard. Fly Right. http://www.continental.com
