Hi;
I have a page admin.jsp that if a user is not an admin, they should never see. I can make the standard way to get there be admin.do but that just invites a hacker to type in admin.jsp, so I still have to insure that requests for admin.jsp are redirected for non admin users. Each page (jsp) and it's Action class know who is allowed in. So I would like to handle this in one of these two places. But the only two solutions I have come up with are: 1. A filter with all pages and who can access them in that one class - dangerous because a new page can get added and the developer forgets to add it to the authorization class. 2. We have jsp pages that just do a check and redirect if the user is not authorized. We then include the appropiate one at the top of each jsp page. This works great if there are a small set of authorizations (this is what I used before - every user was one of 3 types). However, it breaks down for more than a couple of pre-defined authorization groups. 3. All pages are accessed via preAction -> jsp -> submitAction. The preAction sets a session attribute to the name of the jsp. The jsp page at the top checks this attribute and if it is not it's name, it redirects to the home page. As a session attribute, as soon as the user goes to another preAction, they can't go back to the previous jsp. So it forces the pre/jsp/submit ordering. The downside to this is the back button will be limited to the jsp page that the global attribute is set to, not going back further. Any other approaches? Thanks - dave David Thielen www.windwardreports.com 303-499-2544
