Thanks for your answer. Maybe I'm not very clear (sorry for my english). Let's imagine the following request to access the page to update the user informations : /myApp/userPrepareUpdate.action?id=1234 Anyone can modify the request and change 1234 to any other id and so access to the informations of another user. That's why I have to check that the parameter "id" passed in the request has the same value than the "id" in the user object stored in session. That can be the same for the page that redirects to any other object of the application that does not belong to the user (imagine photo gallery)... So did I miss something? I'm sure yes...
Sebastien On 1/31/07, Thorsten Schäfer <[EMAIL PROTECTED]> wrote:
Hi, Why do you care about the information in the request? Typically, you have a login page and the corresponding action stores the user object into the session. In all subsequent requests, you can check the user object in the session to determine which user did log in. This works for S1, but I'd think that it's the same in S2. Cheers, Thorsten > -----Original Message----- > From: Sébastien LABEY [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 31, 2007 8:22 PM > To: Struts mailing list > Subject: [S2] User authentication best practice (2nd time...) > > Hi all (sorry for the previous unterminated mail), > > I would like to know if S2 provides a solution to manage user > authentication. > I also would like to know if someone could lead me to best practice for > user > creation / authentication to a web application. I'm worried about security > after the user has logged in, because of the parameters that appear in the > request. For example, the request that leads to user informations > modification shows the id of this user in the request, so I've to control > that the user id in the request is the same than the one in session (in > the > user object stored in session after login). > Do you have some best practices to help me...? > > thanks in advance > > Sebastien --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
