struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Li <ampyx...@gmail.com>
Subject Re: Best way to secure struts-webapps?
Date Tue, 29 Aug 2006 10:10:14 GMT
put secure page under /web-inf

you can create a tag for checking session validation and/or user object.



On 8/29/06, Leon Rosenberg <rosenberg.leon@googlemail.com> wrote:
>
> The options number 2 and 3 (filter and action) sound both very hale to me.
> If you just want to separate between logged in and not logged in users
> i would go for option 2.
> If you need fine-grained separation go for baseaction and make not
> only login check but also for action-dependant permissions.
>
> regards
> Leon
>
> On 8/29/06, Thomas Hamacher <tha@qualigo.de> wrote:
> > Hi everyone,
> >
> > I think I have a very basic question here, but after spending some time
> with
> > google I haven´t found a real solution to this question: What is the
> best way
> > to secure a struts webapplication to be sure, that only logged in users
> are
> > allowed to do some special action and access some special pages?
> >
> > I found 3 possibilities, from what some of them seem to be a solution
> from
> > older struts versions.
> >
> > - Extend the RequestProcessor and do a programmatic security-check
> > - Use a Filter to do the security check
> > - Extend all Actions from a customized BaseAction, that does the
> security
> > check.
> >
> > But all of this seems a bit strange to me. As security is a
> standard-problem
> > in every webapplication and there are a lot of people who thought about
> > solutions (JAAS) I can´t believe, that I have to extend the
> struts-framework
> > myself to provide some security issues.
> >
> > So what would you recommend if you want to do a real secure application
> with
> > struts, together with tiles and want to be sure, that no pages or
> actions are
> > used without permission? And all of this independent, if I use a Tomcat,
> a
> > Resin or maybe a JBoss as my struts-web-server.
> >
> > Do you have any informations, examples or URL´s who have a real solution
> to
> > this?
> >
> > THank you very much
> >
> > Thomas
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


-- 
When we invent time, we invent death.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message