I guess the best practise for secure struts webapp can never be answered by listing a few items of "what to do and how to do". It is a complicated topic and has many situation like for LAN, WAN ...
Besides, will struts continue its development rather than enhancement? Or webwork will replace it sooner or later. On 8/29/06, Li <[EMAIL PROTECTED]> wrote:
put secure page under /web-inf you can create a tag for checking session validation and/or user object. On 8/29/06, Leon Rosenberg < [EMAIL PROTECTED]> wrote: > > The options number 2 and 3 (filter and action) sound both very hale to > me. > If you just want to separate between logged in and not logged in users > i would go for option 2. > If you need fine-grained separation go for baseaction and make not > only login check but also for action-dependant permissions. > > regards > Leon > > On 8/29/06, Thomas Hamacher <[EMAIL PROTECTED]> wrote: > > Hi everyone, > > > > I think I have a very basic question here, but after spending some > time with > > google I haven´t found a real solution to this question: What is the > best way > > to secure a struts webapplication to be sure, that only logged in > users are > > allowed to do some special action and access some special pages? > > > > I found 3 possibilities, from what some of them seem to be a solution > from > > older struts versions. > > > > - Extend the RequestProcessor and do a programmatic security-check > > - Use a Filter to do the security check > > - Extend all Actions from a customized BaseAction, that does the > security > > check. > > > > But all of this seems a bit strange to me. As security is a > standard-problem > > in every webapplication and there are a lot of people who thought > about > > solutions (JAAS) I can´t believe, that I have to extend the > struts-framework > > myself to provide some security issues. > > > > So what would you recommend if you want to do a real secure > application with > > struts, together with tiles and want to be sure, that no pages or > actions are > > used without permission? And all of this independent, if I use a > Tomcat, a > > Resin or maybe a JBoss as my struts-web-server. > > > > Do you have any informations, examples or URL´s who have a real > solution to > > this? > > > > THank you very much > > > > Thomas > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- When we invent time, we invent death.
-- When we invent time, we invent death.
