Return-Path: Delivered-To: apmail-struts-user-archive@www.apache.org Received: (qmail 97478 invoked from network); 17 Apr 2010 04:54:41 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 17 Apr 2010 04:54:41 -0000 Received: (qmail 28620 invoked by uid 500); 17 Apr 2010 04:54:39 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 28382 invoked by uid 500); 17 Apr 2010 04:54:35 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 28374 invoked by uid 99); 17 Apr 2010 04:54:34 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 Apr 2010 04:54:34 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jiayanchung@gmail.com designates 209.85.160.48 as permitted sender) Received: from [209.85.160.48] (HELO mail-pw0-f48.google.com) (209.85.160.48) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 Apr 2010 04:54:26 +0000 Received: by pwi7 with SMTP id 7so2349788pwi.35 for ; Fri, 16 Apr 2010 21:54:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=vHZ4RtOU/cUK6TnS4zBh4krUN1+QHoMQw7hQG/ws0gQ=; b=rQUZuu5VcjmoBd5BXSVF7gVn+jR9vY25JLkfR6lgR+qi5gsio5Vs2I0qXLD2KWospV MUqjBaK9bS4x+wc4X8wN8+CJVoauRxdAfWR6H9H7RaB3CAeXa8bVO3tsIRdxb3mFGwDi aVQoGO13nZA9wb2xN8aCj2blo6rVI07jcqI1Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=MVuAa6qhLD7E2eoisrawCYUc3+A5zHT6vALn4BQ5kk9tfPKeUcsehUkezNXAA4CWsJ UkHDoBFaX4Gt0PwXaTTiANsB92KH/ifYyf8VdEIsyK26Acx2FJd0lxgkMXS0bCysoGXB mjLMH1LCDS0It9MqnMTIIIhCrDkb1CDKP0vIk= Received: by 10.140.248.7 with SMTP id v7mr2086208rvh.252.1271480045962; Fri, 16 Apr 2010 21:54:05 -0700 (PDT) Received: from [192.168.1.112] ([58.60.27.44]) by mx.google.com with ESMTPS id 21sm2878496pzk.4.2010.04.16.21.54.03 (version=SSLv3 cipher=RC4-MD5); Fri, 16 Apr 2010 21:54:04 -0700 (PDT) Message-ID: <4BC93EE3.5040007@gmail.com> Date: Sat, 17 Apr 2010 12:53:55 +0800 From: Juan Chung User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100330 Fedora/3.0.4-1.fc12 Thunderbird/3.0.4 MIME-Version: 1.0 To: user@struts.apache.org Subject: Re: Basic security problem References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit place your right control check in a filter, i.e whenever the user send a request to the server, retrieve its right information then compare the request uri, if match, the user has been granted to do so, or does not have the proper right. good luck. On 04/16/2010 10:36 AM, Stephane Cosmeur wrote: > Hello struts users > > I have a really basic security problem and i would like to know what is the > best practice to resolve it. > > I have an application with an authentification system and diffrent rights > for diffrent type of user. To add or remove a link/fonctionnality, we simply > declarate the element in a balise. But the problem is the > actions are still available by typing URL in bar address. > > How can i fix it ? > > Regards, > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org