struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Monkeyden <monkey...@gmail.com>
Subject Re: Security for the Struts web application
Date Tue, 05 Sep 2006 17:07:06 GMT
I'm not crazy about #3 mainly because it's more the obligation of the front
controller and not the task controllers.  There is no way to enforce the
call to super at the task level.

On 9/5/06, David Friedman <humble@ix.netcom.com> wrote:
>
> You have many options:
>
> 1. The filter route like http://securityfilter.sourceforge.net.
>
> 2. As suggested override how the process works.  In older versions of
> Struts
> you can do as suggested and override one of the process methods (I also
> recommend processRoles) while in some (not sure which) versions you can
> add
> a command to the chain if your version uses the COR (Commons Chain of
> Responsibility).  That could check if the session is valid, if the path
> begins with a url you specify as being protected (like "/this",
> "/secured",
> etc.).
>
> 3. Make a base action where you check for your criteria in every action's
> execute() method.  Then have it invoke a custom "myExecute()" method which
> is where you would put the code you normally put in execute().  I learned
> this approach from Struts In Action's scaffold framework.  I found the
> source is still available at the publisher's site at the bottom of the
> page
> listed as "husted_src.zip" however I don't recommend it without the book.
> Inside it are two versions of the Scaffold (that the book would explain)
> named struts-scaffold_1_0.zip and struts-scaffold_1_1.zip.
>
> 4. The traditional /WEB-INF/web.xml security-constraint related
> method.  You
> can find some docs on those in this WebSphere page example:
> http://www.caucho.com/resin-3.0/config/webapp.xtp
>
> These four choices should be enough for you.  There might be a few other
> ways but those are the ones that come to my mind immediately.  I am sure
> other list subscribers will chime in soon with other ways of securing
> webapps.  If not you can check the Struts Wiki Security page for at least
> 4
> more (some are OLD like SecurityFilter)
> http://wiki.apache.org/struts/ApplicationSecurity?highlight=%28security%29
>
> Regards,
> David
>
> -----Original Message-----
> From: Monkeyden [mailto:monkeyden@gmail.com]
> Sent: Tuesday, September 05, 2006 12:10 PM
> To: Struts Users Mailing List
> Subject: Re: Security for the Struts web application
>
>
> You could override the processPreprocess or processRoles method of
> RequestProcessor.  If you only need to check for a session, more likely
> the
> former.  If you have more fine-grained security (like role-based screens)
> then you could do it in the latter.
>
>
> On 9/5/06, SrinivasaReddy <msrinivasareddy@bob-technologies.com> wrote:
> >
> > HI All..,
> >
> > I am developing an web application in Struts. I want to give the
> security
> > for the application
> > like
> > -->  if the session present(user is logged in) then only requested pages
> > should display otherwise redirect to login page.
> >
> > In this application all pages are secured.
> >
> > Anyone help me..
> >
> > Regards
> > Nivas
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message