To implement a similar behaviour struts provides with the saveToken functionlaity. Look at it here http://www.scioworks.net/camino_doc/manual/strutsIntro/struts1_0.html
Harjot ----- Original Message ----- From: "Frank Zammetti" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 09, 2004 5:22 AM Subject: RE: design security issue > Well, you could do something as simple as setting a session attribute every > time an Action is called that stores what page was accessed, but before > doing that you check what value is there already and if it's not the > previous page, or whatever page might be valid before the one your > processing, forward to the error page. There's probably a more elegant way > to do that in Struts, but this is pretty simple too, should do the trick. > > Also be sure to set proper expirations on your page so that the back button > button won't work, since that would pull from the browser cache and bypass > that little check in the Actions. > > Frank > > > >From: "Zhang, Larry (L.)" <[EMAIL PROTECTED]> > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > >To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > >Subject: RE: design security issue > >Date: Tue, 8 Jun 2004 18:14:41 -0400 > > > >Thank you Frank and Yuanbo, for the points. Our application is set up in > >SSL and password encryption. I guess my question is pretty > >detail oriented. See I want a design solution so that if the person coming > >to a page without visiting > >previous page, I want to display the error page. Also since one manage has > >a lot of employees so I want to make sure the data is not somehow messed > >up. > > > >Thanks. > > > >-----Original Message----- > >From: Frank Zammetti [mailto:[EMAIL PROTECTED] > >Sent: Tuesday, June 08, 2004 5:41 PM > >To: [EMAIL PROTECTED] > >Subject: RE: design security issue > > > > > >Excellent point, thanks for adding it! > > > >Frank > > > > > > >From: "Wang, Yuanbo" <[EMAIL PROTECTED]> > > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > >To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > >Subject: RE: design security issue > > >Date: Tue, 8 Jun 2004 15:32:16 -0500 > > > > > >One comment. Make sure your ActionServlet intercepts all URL patterns so > > >any HTTP request need to get session validated first. > > > > > >Yuanbo > > > > > >-----Original Message----- > > >From: Frank Zammetti [mailto:[EMAIL PROTECTED] > > >Sent: Tuesday, June 08, 2004 3:34 PM > > >To: [EMAIL PROTECTED] > > >Subject: RE: design security issue > > > > > > > > >To really do security properly, you really should externalize it using a > > > > > >product like Netegrity's SiteMinder. That would be my first suggestion, > > >but > > >there is considerable cost in something like that, so it's not right for > > > > > >everyone or every situation. > > > > > >So, you can do some more minor things within your aop that should give > > >you > > >decent results: > > > > > >(1) Don't do anything within any action unless a valid session is found. > > > > > >This will keep quite a few people out of your app on it's own since they > > > > > >won't be able to just hack together a URL with a query string. I > > >accomplish > > >this in one app I did by having an ActionHelpers class, and the first > > >thing > > >any of my Actions do is call a validateSession() static method. If no > > >session is present, forward right then and there to the logon page. You > > > > > >must be careful also that there is one and only one place in your code > > >that > > >creates a session, your logon Action most likely. > > > > > >(2) Make sure your running through SSL. Takes care of packet sniffing, > > >more > > >or less. > > > > > >(3) Encrypt the passwords in your database with a one-way hash > > >encryption. > > >Makes administration a little bit of a pain (no way to read the > > >password), > > >but it also makes hacking the system a little tougher. > > > > > >(4) Have good policies with regard to session timeouts and password > > >structure. A 5-minute timeout might be too short depeneding on the app, > > >but > > >it's good security-wise. Make sure you have solid rules for what a > > >password > > >must look like (i.e., 6-10 characters in length, at least one > > >non-alphabetic > > >character and one non-alphanumeric character, must be chaged once a > > >month, > > >etc.). > > > > > >These are all easy to implement, and will lead to a fairly secure > > >system. > > >Not perfect, but reasonably secure. Depending on your environment, it > > >might > > >be plenty. > > > > > >Frank > > > > > > >From: "Zhang, Larry (L.)" <[EMAIL PROTECTED]> > > > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > > >To: <[EMAIL PROTECTED]> > > > >Subject: design security issue > > > >Date: Tue, 8 Jun 2004 15:14:36 -0400 > > > > > > > >I have an web application on which the manager can view his manage tree > > > > > > >and > > > >select his employee for transactions (such as Perfromance Rating, > > >putting > > > >on Leave of absence). Definitely it is very vital in this case to keep > > >the > > > >security or make sure one data for one employee is submitted not for > > > >another employee. Another thinking is that if the user come to a page > > >via a > > > >bookmark or come to the page without visiting the previous page, we > > >should > > > >catch this event and disallow the further action. I need to come up > > >some > > > >design solutions so that this security is handled elegantly. Any ideas? > > >If > > > >you know some sites discussing this, please let me know. > > > > > > > >Thanks. > > > > > > > >Larry Zhang > > > > > > > >--------------------------------------------------------------------- > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > >_________________________________________________________________ > > >Watch the online reality show Mixed Messages with a friend and enter to > > >win > > >a trip to NY > > >http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/ > > >01/ > > > > > > > > >--------------------------------------------------------------------- > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > >--------------------------------------------------------------------- > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > >_________________________________________________________________ > >Watch the online reality show Mixed Messages with a friend and enter to win > >a trip to NY > >http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/ > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > _________________________________________________________________ > Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ > Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
