struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jing Zhou" <>
Subject Re: Webapp Security?
Date Wed, 02 Jul 2003 19:31:05 GMT

----- Original Message ----- 
From: "David Erickson" <>
To: "Struts Mailing List" <>
Sent: Wednesday, July 02, 2003 12:26 PM
Subject: Webapp Security?

> Just curious how others have gone about protecting the resouces within
> webapp.. in our personal setup we would like to control access to every
> resource if possible, we have our own custom login page that sets session
> variables, and pulls the data from the database.
> We can authenticate people with code in each of the actions, but nothing
> preventing someone from directly going to a jpg or a jsp file or anything
> the like.  What I thought about doing was subclassing the tomcat
> the default, the jsp one, and the struts one and then authenticating each
> request.. but that adds a lot of overhead.  Anybody have any other good
> ideas?  We'd like to stick with just tomcat 4.1.24... no apache (no
> .htaccess).. what is everyone else implementing?

Preventing someone from directly going to the JSP pages for your web
applications is right thing to do. I just posted a summary with
the subject MVC, Security, and Redirect:

1) No one has direct access to any JSP pages in the
    web applications.
2) Anybody is able to invoke the generalized action
    controllers where the security checking is performed.

You could use a dummy role nobody to protect all of your application
oriented resources with the security constraints. If your
user accounts are stored in database, like our implementation,
you could map your users' id, group, ref, whatever to the role names
specified on the action mappings. Giving uers dynamic privileges is
also implemented in our codes.

> -David

Netspread Carrier

> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message