struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject Re: MVC, Security, and Redirect
Date Wed, 02 Jul 2003 21:14:22 GMT
Good point. I might have to implement it :)

Jing Zhou wrote:
>>>The following is my experience about the subject over the
>>>years and also includes what I learned so far.
>>>What is the best practice for the security checking with
>>>the MVC design pattern? Over the years, I learned that
>>>the Struts developers have been using the following ideas
>>>for the security checking as the best practice.
>>>1) No one has direct access to any JSP pages in the
>>>    web applications.
>>Sorry just to pick out one point from your email but I always see people
>>saying this about protecting their JSPs.
>>I always wonder why, because not one of my JSPs would run without an
>>error if they were accessed directly, because they all need either a
>>form bean or lists or arrays for dropdowns and so on.
>>>From a management point of view, the security is more a policy
> problem than implementation problem. If you have two doors in your
> building that are exposed to outsiders and you trust the locks in them, that
> is
> fine.
> When you have 20,000 doors (the JSP pages) in your building (web apps)
> that are exposed to *outsiders* (they could be your internal employees),
> and over the years you asked 20 independent consulting teams to fix
> problems in some of the doors, your confident level on the security
> of your building will drop.
> That is one of the reasons you should ensure no one has direct access
> to your JSP pages *uniformly*. What we do for web applications is that
> we partition the resources into two categories: document oriented resources
> and application oriented resources. We let the application oriented
> resources (JSP pages for web applications) subject to rule one
> and document oriented resources (static files, Model 1 JSP pages
> for read only purpose) subject to the security constraints.
> With such a partition, we could avoid the situations where someone,
> no matter he is a outsider or internal employee, could access directly
> to the application oriented resources.
>>Is there some security hole that hackers can exploit if they find a
>>valid JSP url, even if it returns a 404?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message