struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Webapp Security?
Date Thu, 03 Jul 2003 20:46:33 GMT

On Thu, 3 Jul 2003, David Erickson wrote:

> Date: Thu, 3 Jul 2003 13:44:41 -0600
> From: David Erickson <>
> Reply-To: Struts Users Mailing List <>
> To: Struts Users Mailing List <>
> Subject: Re: Webapp Security?
> Yes this makes excellent sense.  And this is basically along the lines of
> what I think we may do, but I am wondering if you could just filter the
> action itself using Filters before it even gets to struts, and if they dont
> have permission to perform that action then it never even makes it to
> struts?


> Also another question that has been burning in my mind that I havn't been
> able to figure out, lets suppose we run a struts action it is successful so
> its actionmapping forward is to test.jsp.  When it forwards to test.jsp does
> the tomcat server parse back through the web.xml to see what servlet is
> supposed get that test.jsp, or does it do something else??

Struts uses RequestDispatcher.forward() to deal with the ActionForward
instance that is returned.  Translating the context-relative path into a
call to a particular servlet or JSP page does indeed go back through the
servlet mappings you've defined in web.xml, the same way that the original
request URL is mapped to a servlet or JSP page based on these mappings.

One thing to note about this, in the context of the discussion on
container managed security, is that security constraints are enforced ONLY
on the original request from a client, not on RequestDispatcher calls.  If
the application uses RequestDispatcher, the container assumes that it
knows what it is doing.

> -David


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message