Use JDBC relms that read your db. Hoang, Hai wrote: > I already have my own database driven security model. Once a user logon I > already know his role. But the problem is that how do I make this security > model to work with the container-managed model so I don't have to check > every on single page. > > Hai > > > > -----Original Message----- > From: Eddie Bush [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 14, 2002 9:38 AM > To: Struts Users Mailing List > Subject: Re: The best practices regarding secure JSP and Action classes > > - setup container-managed authentication > - as a server-configured service > - as a filter (see securityfilter.sourceforge.net) > - see your servlet container user guide for setup of > non-filter-based solution > - in your web.xml > - declare the roles you will use > - declare the URLs etc > - see the servlet specification for how to configure this > > The web.xml config applies to the non-filter-based approach I *think*. > See the filter's site for more information on how to configure that > particular one. > > If you push your authentication/authorization up to the server level, > you don't have to have "nasty hacks" in all of your protected JSPs. > Just make the auth work and specify the mappings it holds true for. > Other good references on this topic include Java Servlet Programming > (Jason Hunter - O'Reilly) and Java Server Pages (Hans Bergsten - > O'Reilly). There are probably other resources available that outline > how to configure your deployment descriptor (web.xml) for this. > > Hoang, Hai wrote: > > >>I want to secure the admin portion of my application from unauthorized >>users. What is the best way to achieve this task? Should I include a >>"CheckUser" tag on every jsp pages and call a "CheckUser" function on > > every > >>single action class? I don't want the user to just key in the direct url > > of > >>the jsp page or calling the action class directly. But doing this, I've to >>go to the database twice on every action. >> >>Do you know a better way? >> >
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
