put secure page under /web-inf you can create a tag for checking session validation and/or user object.
On 8/29/06, Leon Rosenberg <[EMAIL PROTECTED]> wrote:
The options number 2 and 3 (filter and action) sound both very hale to me. If you just want to separate between logged in and not logged in users i would go for option 2. If you need fine-grained separation go for baseaction and make not only login check but also for action-dependant permissions. regards Leon On 8/29/06, Thomas Hamacher <[EMAIL PROTECTED]> wrote: > Hi everyone, > > I think I have a very basic question here, but after spending some time with > google I haven´t found a real solution to this question: What is the best way > to secure a struts webapplication to be sure, that only logged in users are > allowed to do some special action and access some special pages? > > I found 3 possibilities, from what some of them seem to be a solution from > older struts versions. > > - Extend the RequestProcessor and do a programmatic security-check > - Use a Filter to do the security check > - Extend all Actions from a customized BaseAction, that does the security > check. > > But all of this seems a bit strange to me. As security is a standard-problem > in every webapplication and there are a lot of people who thought about > solutions (JAAS) I can´t believe, that I have to extend the struts-framework > myself to provide some security issues. > > So what would you recommend if you want to do a real secure application with > struts, together with tiles and want to be sure, that no pages or actions are > used without permission? And all of this independent, if I use a Tomcat, a > Resin or maybe a JBoss as my struts-web-server. > > Do you have any informations, examples or URL´s who have a real solution to > this? > > THank you very much > > Thomas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- When we invent time, we invent death.
