struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Friedman" <>
Subject RE: Security for the Struts web application
Date Tue, 05 Sep 2006 16:46:15 GMT
You have many options:

1. The filter route like

2. As suggested override how the process works.  In older versions of Struts
you can do as suggested and override one of the process methods (I also
recommend processRoles) while in some (not sure which) versions you can add
a command to the chain if your version uses the COR (Commons Chain of
Responsibility).  That could check if the session is valid, if the path
begins with a url you specify as being protected (like "/this", "/secured",

3. Make a base action where you check for your criteria in every action's
execute() method.  Then have it invoke a custom "myExecute()" method which
is where you would put the code you normally put in execute().  I learned
this approach from Struts In Action's scaffold framework.  I found the
source is still available at the publisher's site at the bottom of the page
listed as "" however I don't recommend it without the book.
Inside it are two versions of the Scaffold (that the book would explain)
named and

4. The traditional /WEB-INF/web.xml security-constraint related method.  You
can find some docs on those in this WebSphere page example:

These four choices should be enough for you.  There might be a few other
ways but those are the ones that come to my mind immediately.  I am sure
other list subscribers will chime in soon with other ways of securing
webapps.  If not you can check the Struts Wiki Security page for at least 4
more (some are OLD like SecurityFilter)


-----Original Message-----
From: Monkeyden []
Sent: Tuesday, September 05, 2006 12:10 PM
To: Struts Users Mailing List
Subject: Re: Security for the Struts web application

You could override the processPreprocess or processRoles method of
RequestProcessor.  If you only need to check for a session, more likely the
former.  If you have more fine-grained security (like role-based screens)
then you could do it in the latter.

On 9/5/06, SrinivasaReddy <> wrote:
> HI All..,
> I am developing an web application in Struts. I want to give the security
> for the application
> like
> -->  if the session present(user is logged in) then only requested pages
> should display otherwise redirect to login page.
> In this application all pages are secured.
> Anyone help me..
> Regards
> Nivas

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message