Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 33890 invoked from network); 24 Jan 2003 18:54:07 -0000 Received: from exchange.sun.com (192.18.33.10) by 208.185.179.12.available.above.net with SMTP; 24 Jan 2003 18:54:07 -0000 Received: (qmail 18564 invoked by uid 97); 24 Jan 2003 18:54:58 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org Received: (qmail 18548 invoked by uid 97); 24 Jan 2003 18:54:57 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 18536 invoked by uid 98); 24 Jan 2003 18:54:57 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) From: "Mike Jackson" To: "Tomcat Users List" Subject: RE: INSECURE to rely on sendRedirect (??) Date: Fri, 24 Jan 2003 10:53:29 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <3E3185C5.1030202@ptc.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Spam-Rating: 208.185.179.12.available.above.net 1.6.2 0/1000/N X-Spam-Rating: 208.185.179.12.available.above.net 1.6.2 0/1000/N They can't. There's a mapping between the thing they're requesting and the model or models that are being called, you can't access the model directly. You could access the page directly, but in most cases that won't get you anywhere, and any of the links that it points are directly controlled by the controller again, so... Really the only thing that's available that would allow you to bypass things to any level is the XSQL and XSL files I'm using to query the database, but I don't pass the XSQL mapping through apache to tomcat, you'd be getting the XSQL and XSL files as flat files rather than as the processed versions of those. I could block that in apache, but as the XSQL files aren't in the same path as the page request it'd be a little hard to figure out where they are (and it lets me look at them quickly if I'm trying to diagnose something). There's always something that can be done to make systems more secure, but you realistically need to balance the time and effort (both to secure it and to use it), with the environment. My systems typically are installed on secure networks where all users are given fairly intense background checks. So my balance is more towards the ease of use for the end user. --mikej -=----- mike jackson mjackson@cdi-hq.com > -----Original Message----- > From: Erik Price [mailto:eprice@ptc.com] > Sent: Friday, January 24, 2003 10:28 AM > To: Tomcat Users List > Subject: Re: INSECURE to rely on sendRedirect (??) > > > > > Mike Jackson wrote: > > Actually I use a MVC architecture, my controller has a > "standard" model for > > doing logins. So I just change the look for the login page and > change the > > configuration file a little and I'm done. Nearly 100% code > reuse (if you > > consider the relatively static login page to be code). Since > my system is > > fast and easy I haven't seen the need to branch out into new things yet. > > What happens if someone requests one of your resources directly? > > Also, I hear you -- I wasn't going to get into Filters but I read a bit > about them and the idea is actually pretty simple. And it seemed > perfect for this situation, so I just tried it. I'm pleased. > > > Erik > > > -- > To unsubscribe, e-mail: For additional commands, e-mail: -- To unsubscribe, e-mail: For additional commands, e-mail: