Shekher wrote: > > I am planing to use interceptor for this but not sure how to plan this > > as using interceptor can not gurantee a robust authenticate mechanism > what i planned is as below > > if user provide the valid information store the user object in the session > scoped map and for all incoming request to secure region check the user > object in the session using the interceptor,but will that be a robust > approach??? > > any suggestion for this > >
Only you can decide what is 'robust' in the light of the requirements of the application that you are developing. Something that controls access to your family's photo album probably requires less security robustness than a banking or military application. But then, I guess you aren't developing a military application (are you?). Pretty much all web-based applications use session-based stuff to maintain authentication state across requests. That's just how it works and it is 'robust' (for certain values of robust). There are all manner of things that you can google to be told about vulnerabilities in the approach. Choose what applies to your situation and defend against it. Re Interceptors and actions. Again, you have to decide what route to take and what the consequences will be if it goes wrong. For example, you can choose to design your actions so they work independently of the Interceptor and - if the configuration says that it is necessary - the Interceptor can then 'intercept' the request and redirect if a requireed authentication/authorisation is missing. If the application is run with an incorrect configuration file, then Bad People (tm) will be able to run your secure application actions. Alternatively, you can design your actions to only run if they have been given the 'All Clear' from the interceptor. This is more secure *provided* that you don't have your Action be given the all clear via a 'SetXYZ()' routine (because that is trivial to circumvent with a crafted URL). You need to (a) know what your authorisation/authentication scope is, (b) understand the way that Interceptors and Actions mesh together and (c) design (and document) something that fits your needs. With struts2 - like perl - there's more than one way to do things. Many of those things are right, some of them are wrong. There is no *single* 'right' way to do things though, that fits all situations. Hope that gives you some ideas. Later, Andy -- View this message in context: http://www.nabble.com/Application-based-Security-tp21010272p21014167.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
