struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Régis Melo <regism...@softsite.com.br>
Subject RES: Best way to check if a user has access to a database recourse
Date Fri, 07 Dec 2001 12:25:19 GMT
Hello,

	I think that Jon is rigth - it's not necessary to put the information about
the user in URL.

	I have a similar problem - I'm developing a system and some users can't
acess some pages. For example, if a user is a administrator He can acess
everything. But, if the user is a ordinary user He can't see some pages...

	Thinking in a MVC, I decide to put this logic in a controller - In my case
the ActionServlet. I'm not sure if it's a good solution.... I'll appreciate
ideas about this.

Thanks!
_______________________________
Régis Melo
regismelo@softsite.com.br
+55(85)9111-8301

SoftSite Tecnologia
http://www.softsite.com.br
+55(85)261-5266
_______________________________


-----Mensagem original-----
De: Jon.Ridgway [mailto:Jon.Ridgway@upco.co.uk]
Enviada em: quinta-feira, 6 de dezembro de 2001 08:47
Para: 'Struts Users Mailing List'
Assunto: RE: Best way to check if a user has access to a database
recourse


Hi Tony,

If the user has logged in then you must have their principal (ie log in
name) stored. So you don't need to have it as a request parameter visible to
all. Have the Display Messages Action lookit up and just pass in
messageStart and messageEnd.

I think there are ways to hide the URL, such as placing resources in
WEB-INF, but I'm not 100% about these, anyone else....


Jon Ridgway.

-----Original Message-----
From: antony@claire.co.jp [mailto:antony@claire.co.jp]
Sent: 06 December 2001 08:19
To: Struts Users Mailing List
Subject: Best way to check if a user has access to a database recourse

Hi

I have an application where the users have a number of messages in a
database.  Each user can only look at their own messages.  What is the
best way about ensuring a user cannot have access
to anothers email.  Ie, if I have a scheme like

/displayMessages.do?user=tony&messageStart=20&messageEnd=40      -(1)

what is to stop someone else coming along, who has successfully logged
on who is not user tony and and just typing (1) in and accessing these
messages. I realise that I can have a check in the displayMessages.do
action which will do something like

if ( (Current user as indicated by the session) ==
      (The user as specified in the http request))

And then if this condition is true then tomcat will deliver the
messages, otherwise an error screen is presented.
But I am not sure if this is (the best)/(a good) way.  I want to hear
how other people handle this situation.  Please tell me how you handle this.

Thank you

Tony



--
To unsubscribe, e-mail:
<mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:struts-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:
<mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:struts-user-help@jakarta.apache.org>




--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message