What I do is when the user logs in, I put a token in the session and for every call to my action classes, there is abase class action that checks to see if that token is in the session and if the user is logged in, if not send them to the login screens
-----Original Message----- From: Tim Christopher [mailto:[EMAIL PROTECTED] Sent: Saturday, April 02, 2005 12:20 PM To: Struts Users Mailing List Subject: Struts Security Hi, At the moment almost all of my CRUD operations are performed (through service calls) within LookupDispatchAction files; is this considered good practice within Struts? I've noticed that by using LookupDispatchAction files the user has the ability to save a page offline, modify the nameof the submit button, and then gain access to other CRUD operations that are contained within the same Java file. Obviously this has serious security implications. Using the same principle it is also possible for a user to add an additional field to a form, so if BeanUtils.copyProperties is called (depending on how the db call is structured) the user may be able to update restricted values. Is it possible to safeguard the application from users exploting this behaviour whilst still using a LookupDispatchAction? I know I could put a isUserInRole at the start of every CRUD operation, however that sounds very messy and would means that the role attribute on the action is pointless. Tim Christopher --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
