----- Original Message -----
From: "Steve Raeburn" <[EMAIL PROTECTED]>
To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
Sent: Sunday, June 29, 2003 12:33 AM
Subject: RE: Sending a Redirect Directly from an Action Class
>
> > When you said "This is not true." to the original concerns regarding
> > response.sendRedirect("/somePage.jsp") method (which implies a
> > direct call to the JSP page) and now you are not
> > calling JSP directly, I don't get you. Of course, we know the security
> > contraints can protect any thing. The problem is when a page is
> > protected, the redirect will fail.
>
> You said, "The JSP page somePage.jsp could not be protected by the
standard
> security constraints." That's what I was referring to when I said, "This
is
> not true."
>
> If you redirect to /someAction.do and that is protected by security
> contraints then the exact same error would occur aswhen you redirect to
> /somePage.jsp. So, purely in terms of security contraints, there is no
> difference between redirecting to the action or the jsp. As I said, that
> does not mean that I advocate directly accessing JSPs, just that the
reasons
> for not doing so have nothing to do with redirects or container security.
When I talked the use of the redirect to /someAction.do, it doesn't imply it
is
protected by the security constraints. Normal pratice of the MVC model is
that
most of JSP pages should be protected while actions should not. Because
actions have internal logics to perform security checking,
that is a common sense (If you protect all of your actions, /*.do, how
do your end users submit web forms? :-)
Jing
>
> Hope that is clearer
>
> Steve
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
