Why isn't your jsp page under WEB-INF? - George http://www.idiacomputing.com
> -----Original Message----- > From: David Thielen [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 19, 2006 5:14 PM > To: user@struts.apache.org > Subject: struts/jsp security/access question > > > Hi; > > > > I have a page admin.jsp that if a user is not an admin, they > should never see. I can make the standard way to get there be > admin.do but that just invites a hacker to type in admin.jsp, > so I still have to insure that requests for admin.jsp are > redirected for non admin users. > > > > Each page (jsp) and it's Action class know who is allowed in. > So I would like to handle this in one of these two places. > But the only two solutions I have come up with are: > > 1. A filter with all pages and who can access them in that > one class - > dangerous because a new page can get added and the developer > forgets to add it to the authorization class. > 2. We have jsp pages that just do a check and redirect if > the user is > not authorized. We then include the appropiate one at the top > of each jsp page. This works great if there are a small set > of authorizations (this is what I used before - every user > was one of 3 types). However, it breaks down for more than a > couple of pre-defined authorization groups. > 3. All pages are accessed via preAction -> jsp -> submitAction. The > preAction sets a session attribute to the name of the jsp. > The jsp page at the top checks this attribute and if it is > not it's name, it redirects to the home page. As a session > attribute, as soon as the user goes to another preAction, > they can't go back to the previous jsp. So it forces the > pre/jsp/submit ordering. The downside to this is the back > button will be limited to the jsp page that the global > attribute is set to, not going back further. > > > > Any other approaches? > > > > Thanks - dave > > > > > > David Thielen > www.windwardreports.com 303-499-2544 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
