It looks to me some more *assumed* assumptions are added to achieve your *best* way. The *easiest* way in my assumption is that no one has direct access to the JSP pages in the security constraints.
When assumptions could be added arbitrarily, it is hard for anyone to produce forever true statements :-) Jing ----- Original Message ----- From: "Steve Raeburn" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Sunday, June 29, 2003 1:50 PM Subject: RE: Sending a Redirect Directly from an Action Class > Redirecting to a page has *nothing* to do with security constraints. > > If you have the necessary authority to that page then the page will be > displayed without error. If you do not have the authority then an error will > be generated. However, this does not mean that the redirect has failed. The > redirect worked but the redirect target generated an error which, in any > decent application, will be handled and the user will be presented with a > meaningful error page or logon page. > > So, the JSP *can* in fact be protected by container managed security. I have > never said this is the *best* way of doing things but your assertion that > the JSP page could not be protected by standard security constraints is just > plain wrong. > > Steve > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
