To implement a similar behaviour struts provides with the saveToken functionlaity. Look at it here http://www.scioworks.net/camino_doc/manual/strutsIntro/struts1_0.html
Harjot > ----- Original Message ----- > From: "Frank Zammetti" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, June 09, 2004 5:22 AM > Subject: RE: design security issue > > > > Well, you could do something as simple as setting a session attribute > every > > time an Action is called that stores what page was accessed, but before > > doing that you check what value is there already and if it's not the > > previous page, or whatever page might be valid before the one your > > processing, forward to the error page. There's probably a more elegant > way > > to do that in Struts, but this is pretty simple too, should do the trick. > > > > Also be sure to set proper expirations on your page so that the back > button > > button won't work, since that would pull from the browser cache and bypass > > that little check in the Actions. > > > > Frank > > > > > > >From: "Zhang, Larry (L.)" <[EMAIL PROTECTED]> > > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > >To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > >Subject: RE: design security issue > > >Date: Tue, 8 Jun 2004 18:14:41 -0400 > > > > > >Thank you Frank and Yuanbo, for the points. Our application is set up in > > >SSL and password encryption. I guess my question is pretty > > >detail oriented. See I want a design solution so that if the person > coming > > >to a page without visiting > > >previous page, I want to display the error page. Also since one manage > has > > >a lot of employees so I want to make sure the data is not somehow messed > > >up. > > > > > >Thanks. > > > > > >-----Original Message----- > > >From: Frank Zammetti [mailto:[EMAIL PROTECTED] > > >Sent: Tuesday, June 08, 2004 5:41 PM > > >To: [EMAIL PROTECTED] > > >Subject: RE: design security issue > > > > > > > > >Excellent point, thanks for adding it! > > > > > >Frank > > > > > > > > > >From: "Wang, Yuanbo" <[EMAIL PROTECTED]> > > > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > > >To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > > >Subject: RE: design security issue > > > >Date: Tue, 8 Jun 2004 15:32:16 -0500 > > > > > > > >One comment. Make sure your ActionServlet intercepts all URL patterns > so > > > >any HTTP request need to get session validated first. > > > > > > > >Yuanbo > > > > > > > >-----Original Message----- > > > >From: Frank Zammetti [mailto:[EMAIL PROTECTED] > > > >Sent: Tuesday, June 08, 2004 3:34 PM > > > >To: [EMAIL PROTECTED] > > > >Subject: RE: design security issue > > > > > > > > > > > >To really do security properly, you really should externalize it using > a > > > > > > > >product like Netegrity's SiteMinder. That would be my first > suggestion, > > > >but > > > >there is considerable cost in something like that, so it's not right > for > > > > > > > >everyone or every situation. > > > > > > > >So, you can do some more minor things within your aop that should give > > > >you > > > >decent results: > > > > > > > >(1) Don't do anything within any action unless a valid session is > found. > > > > > > > >This will keep quite a few people out of your app on it's own since > they > > > > > > > >won't be able to just hack together a URL with a query string. I > > > >accomplish > > > >this in one app I did by having an ActionHelpers class, and the first > > > >thing > > > >any of my Actions do is call a validateSession() static method. If no > > > >session is present, forward right then and there to the logon page. > You > > > > > > > >must be careful also that there is one and only one place in your code > > > >that > > > >creates a session, your logon Action most likely. > > > > > > > >(2) Make sure your running through SSL. Takes care of packet sniffing, > > > >more > > > >or less. > > > > > > > >(3) Encrypt the passwords in your database with a one-way hash > > > >encryption. > > > >Makes administration a little bit of a pain (no way to read the > > > >password), > > > >but it also makes hacking the system a little tougher. > > > > > > > >(4) Have good policies with regard to session timeouts and password > > > >structure. A 5-minute timeout might be too short depeneding on the > app, > > > >but > > > >it's good security-wise. Make sure you have solid rules for what a > > > >password > > > >must look like (i.e., 6-10 characters in length, at least one > > > >non-alphabetic > > > >character and one non-alphanumeric character, must be chaged once a > > > >month, > > > >etc.). > > > > > > > >These are all easy to implement, and will lead to a fairly secure > > > >system. > > > >Not perfect, but reasonably secure. Depending on your environment, it > > > >might > > > >be plenty. > > > > > > > >Frank > > > > > > > > >From: "Zhang, Larry (L.)" <[EMAIL PROTECTED]> > > > > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > > > >To: <[EMAIL PROTECTED]> > > > > >Subject: design security issue > > > > >Date: Tue, 8 Jun 2004 15:14:36 -0400 > > > > > > > > > >I have an web application on which the manager can view his manage > tree > > > > > > > > >and > > > > >select his employee for transactions (such as Perfromance Rating, > > > >putting > > > > >on Leave of absence). Definitely it is very vital in this case to > keep > > > >the > > > > >security or make sure one data for one employee is submitted not for > > > > >another employee. Another thinking is that if the user come to a page > > > >via a > > > > >bookmark or come to the page without visiting the previous page, we > > > >should > > > > >catch this event and disallow the further action. I need to come up > > > >some > > > > >design solutions so that this security is handled elegantly. Any > ideas? > > > >If > > > > >you know some sites discussing this, please let me know. > > > > > > > > > >Thanks. > > > > > > > > > >Larry Zhang > > > > > > > > > >--------------------------------------------------------------------- > > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > >_________________________________________________________________ > > > >Watch the online reality show Mixed Messages with a friend and enter to > > > >win > > > >a trip to NY > > > > >http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/ > > > >01/ > > > > > > > > > > > >--------------------------------------------------------------------- > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > >--------------------------------------------------------------------- > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > >_________________________________________________________________ > > >Watch the online reality show Mixed Messages with a friend and enter to > win > > >a trip to NY > > > >http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/ > > > > > > > > >--------------------------------------------------------------------- > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > >--------------------------------------------------------------------- > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > _________________________________________________________________ > > Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ > > Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
