Return-Path: Delivered-To: apmail-struts-user-archive@www.apache.org Received: (qmail 1736 invoked from network); 5 Sep 2006 17:07:41 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 5 Sep 2006 17:07:41 -0000 Received: (qmail 88042 invoked by uid 500); 5 Sep 2006 17:07:30 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 88004 invoked by uid 500); 5 Sep 2006 17:07:30 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 87990 invoked by uid 99); 5 Sep 2006 17:07:29 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Sep 2006 10:07:29 -0700 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of monkeyden@gmail.com designates 64.233.182.185 as permitted sender) Received: from [64.233.182.185] (HELO nf-out-0910.google.com) (64.233.182.185) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Sep 2006 10:07:28 -0700 Received: by nf-out-0910.google.com with SMTP id l35so13643nfa for ; Tue, 05 Sep 2006 10:07:07 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=DMeXCJcYADMNbDOoW1ubmLNBhOckRgpIL0QphHA0k7TALUOIHfZGUXv/OjO1UA9VJ8n3yWAlEc4b/CUlKn5wbCcytxUkCIpGMw7qqpwsvhkapH2Qz1GeBVqWamkQa8CUQLYWtDpAf64sEUFb5R97k2jQ9H2r+6uiDlnm9Yq9zcQ= Received: by 10.48.254.10 with SMTP id b10mr7976889nfi; Tue, 05 Sep 2006 10:07:07 -0700 (PDT) Received: by 10.49.59.7 with HTTP; Tue, 5 Sep 2006 10:07:06 -0700 (PDT) Message-ID: Date: Tue, 5 Sep 2006 13:07:06 -0400 From: Monkeyden To: "Struts Users Mailing List" Subject: Re: Security for the Struts web application In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_69242_18716558.1157476026814" References: X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N ------=_Part_69242_18716558.1157476026814 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline I'm not crazy about #3 mainly because it's more the obligation of the front controller and not the task controllers. There is no way to enforce the call to super at the task level. On 9/5/06, David Friedman wrote: > > You have many options: > > 1. The filter route like http://securityfilter.sourceforge.net. > > 2. As suggested override how the process works. In older versions of > Struts > you can do as suggested and override one of the process methods (I also > recommend processRoles) while in some (not sure which) versions you can > add > a command to the chain if your version uses the COR (Commons Chain of > Responsibility). That could check if the session is valid, if the path > begins with a url you specify as being protected (like "/this", > "/secured", > etc.). > > 3. Make a base action where you check for your criteria in every action's > execute() method. Then have it invoke a custom "myExecute()" method which > is where you would put the code you normally put in execute(). I learned > this approach from Struts In Action's scaffold framework. I found the > source is still available at the publisher's site at the bottom of the > page > listed as "husted_src.zip" however I don't recommend it without the book. > Inside it are two versions of the Scaffold (that the book would explain) > named struts-scaffold_1_0.zip and struts-scaffold_1_1.zip. > > 4. The traditional /WEB-INF/web.xml security-constraint related > method. You > can find some docs on those in this WebSphere page example: > http://www.caucho.com/resin-3.0/config/webapp.xtp > > These four choices should be enough for you. There might be a few other > ways but those are the ones that come to my mind immediately. I am sure > other list subscribers will chime in soon with other ways of securing > webapps. If not you can check the Struts Wiki Security page for at least > 4 > more (some are OLD like SecurityFilter) > http://wiki.apache.org/struts/ApplicationSecurity?highlight=%28security%29 > > Regards, > David > > -----Original Message----- > From: Monkeyden [mailto:monkeyden@gmail.com] > Sent: Tuesday, September 05, 2006 12:10 PM > To: Struts Users Mailing List > Subject: Re: Security for the Struts web application > > > You could override the processPreprocess or processRoles method of > RequestProcessor. If you only need to check for a session, more likely > the > former. If you have more fine-grained security (like role-based screens) > then you could do it in the latter. > > > On 9/5/06, SrinivasaReddy wrote: > > > > HI All.., > > > > I am developing an web application in Struts. I want to give the > security > > for the application > > like > > --> if the session present(user is logged in) then only requested pages > > should display otherwise redirect to login page. > > > > In this application all pages are secured. > > > > Anyone help me.. > > > > Regards > > Nivas > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org > For additional commands, e-mail: user-help@struts.apache.org > > ------=_Part_69242_18716558.1157476026814--