struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Law <>
Subject Re: Application based Security
Date Mon, 15 Dec 2008 13:40:21 GMT

Shekher wrote:
> I am planing to use interceptor for this but not sure how to plan this
> as using interceptor can not gurantee a robust authenticate mechanism
> what i planned is as below
> if user provide the valid information store the user object in the session
> scoped map and for all incoming request to secure region check the user
> object in the session using the interceptor,but will that be a robust
> approach???
> any suggestion for this

Only you can decide what is 'robust' in the light of the requirements of the
application that you are developing. Something that controls access to your
family's photo album probably requires less security robustness than a
banking or military application. But then, I guess you aren't developing a
military application (are you?).

Pretty much all web-based applications use session-based stuff to maintain
authentication state across requests. That's just how it works and it is
'robust' (for certain values of robust). There are all manner of things that
you can google to be told about vulnerabilities in the approach. Choose what
applies to your situation and defend against it.

Re Interceptors and actions. Again, you have to decide what route to take
and what the consequences will be if it goes wrong. For example, you can
choose to design your actions so they work independently of the Interceptor
and - if the configuration says that it is necessary - the Interceptor can
then 'intercept' the request and redirect if a requireed
authentication/authorisation is missing. If the application is run with an
incorrect configuration file, then Bad People (tm) will be able to run your
secure application actions. Alternatively, you can design your actions to
only run if they have been given the 'All Clear' from the interceptor. This
is more secure *provided* that you don't have your Action be given the all
clear via a 'SetXYZ()' routine (because that is trivial to circumvent with a
crafted URL).

You need to (a) know what your authorisation/authentication scope is, (b)
understand the way that Interceptors and Actions mesh together and (c)
design (and document) something that fits your needs. With struts2 - like
perl - there's more than one way to do things. Many of those things are
right, some of them are wrong. There is no *single* 'right' way to do things
though, that fits all situations.

Hope that gives you some ideas.


View this message in context:
Sent from the Struts - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message