Return-Path: 
 <struts-user-return-84157-qmlist-jakarta-archive-struts-user=nagoya.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-struts-user-archive@apache.org
Received: (qmail 56207 invoked from network); 2 Jul 2003 09:37:51 -0000
Received: from exchange.sun.com (192.18.33.10)
  by daedalus.apache.org with SMTP; 2 Jul 2003 09:37:51 -0000
Received: (qmail 14254 invoked by uid 97); 2 Jul 2003 09:40:27 -0000
Delivered-To: qmlist-jakarta-archive-struts-user@nagoya.betaversion.org
Received: (qmail 14247 invoked from network); 2 Jul 2003 09:40:27 -0000
Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12)
  by nagoya.betaversion.org with SMTP; 2 Jul 2003 09:40:27 -0000
Received: (qmail 53816 invoked by uid 500); 2 Jul 2003 09:37:01 -0000
Mailing-List: contact struts-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:struts-user-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:struts-user-subscribe@jakarta.apache.org>
List-Help: <mailto:struts-user-help@jakarta.apache.org>
List-Post: <mailto:struts-user@jakarta.apache.org>
List-Id: "Struts Users Mailing List" <struts-user.jakarta.apache.org>
Reply-To: "Struts Users Mailing List" <struts-user@jakarta.apache.org>
Delivered-To: mailing list struts-user@jakarta.apache.org
Received: (qmail 53792 invoked from network); 2 Jul 2003 09:37:01 -0000
Received: from mail7.cybercon.com (66.165.104.71)
  by daedalus.apache.org with SMTP; 2 Jul 2003 09:37:01 -0000
Received: (qmail 9994 invoked by uid 507); 2 Jul 2003 09:36:53 -0000
Received: from jing@netspread.com by mail7.cybercon.com by uid 504 with Virus
 scanner ( Clear:. Processed in 0.565926 secs); 02 Jul 2003 09:36:53 -0000
Received: from cable-68-112-210-146.sli.la.charter.com (HELO carrier)
 (68.112.210.146)
  by 0 with SMTP; 2 Jul 2003 09:36:52 -0000
Message-ID: <012101c3407d$83f4e420$6400a8c0@carrier>
Reply-To: "Jing Zhou" <jing@netspread.com>
From: "Jing Zhou" <jing@netspread.com>
To: "Struts Users Mailing List" <struts-user@jakarta.apache.org>
Subject: MVC, Security, and Redirect
Date: Wed, 2 Jul 2003 04:37:11 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_011E_01C34053.9A6C2DF0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

------=_NextPart_000_011E_01C34053.9A6C2DF0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

All,

The following is my experience about the subject over the
years and also includes what I learned so far.

What is the best practice for the security checking with
the MVC design pattern? Over the years, I learned that
the Struts developers have been using the following ideas
for the security checking as the best practice.

1) No one has direct access to any JSP pages in the=20
    web applications.
2) Anybody is able to invoke the generalized action
    controllers where the security checking is performed.

The rules are simple and crystal clear. They come from
the minds of the true MVC experts. When the redirect is
a question, we can not isolate the MVC and Security=20
context to give an answer, especially to make
recommendations.

This is because redirecting to a JSP page will not work
under rule one. So we normally redirect to an action. If the
security checking is performed in the base class of the
generalized action controllers for rule two, the protections
for all of the JSP pages are uniformly enforced.

So it is misleading if someone's message is suggesting
the action is protected by the security constraints. It is
the same misleading thing if the message is suggesting
the security constraints could allow the JSP pages to be
accessed directly by authorized users in order to make
the redirect to work. Because if the servlet container is
configured that way, end users may work around the
security checking in rule two by directly accessing to
the JSP pages. They might be able to obtain some
unauthorized information - the same problems where
Model 1 things may have.

A clear understanding to the two rules is very important
when dealing with the redirect. The following link
http://www.netspread.com/tips2.html#mvc
provides detail information on how Carrier implements
the two rules.

When considering the location where the JSP pages
should be protected. We realized that WEB-INF is
suitable for self-service type of web applications (or
say developed for self use)
Since Carrier is designed as a multi-vendor solution
carrier, the packaged solutions must be highly
modular and the best way is to put the packaged
solutions under the security constraints with a nobody
dummy role.

What I enjoyed in the MVC/Security is the conciseness
of the two rules. I gave Carrier the most concise
implementation - only one default controller class
for all business logics as well as the redirect logics in
our demos.


Regards,

Jing
Netspread Carrier
http://www.netspread.com









------=_NextPart_000_011E_01C34053.9A6C2DF0--