On 5/19/05, Catalin Croitoru <[EMAIL PROTECTED]> wrote: > Steve, > > the solution you provide doesn't solve the problem with typing the > link in the adress bar. user can copy from the html source of the page > the hidden atribute org.apache.struts.taglib.html.TOKEN and provide to > the adres with the value. somethig like this: > http://www.domain./user/action.do?org.apache.struts.taglib.html.TOKEN=b3011824c268c91cceb23606515b7887 > > from the point of view of the problem: > >the second is I mean that, I don't want User do my action by typing my > >action path directly on address bar >
Up to a point I agree, but there is a big difference between just opening your browser and typing http://www.domain./user/action.do and navigating through a web app to a page with a link with a token and pasting that into the browser's address field. I suspect that if a user has sufficient privileges to get to a page displaying a link with a valid token then it probably doesn't matter too much whether they type it in directly or not, but of course that would need to be confirmed. Of course there has to be sufficient validation of any parameters. Possibly the generateToken() method could be used to create a token just for this one particular link - the token would then need to be manually stored in the session in the creating action and removed from the session in the receiving action. Steve --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
