You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Menke, John" <Jo...@acs-inc.com> on 2003/05/05 16:07:47 UTC

RE: User authentication for a site

where can I find more information about the security problems????

-----Original Message-----
From: Sterin, Ilya [mailto:Isterin@ciber.com]
Sent: Monday, April 28, 2003 2:05 PM
To: 'Steven Sajous '; 'Struts Users Mailing List '
Subject: RE: User authentication for a site


web.xml --> filter is the best, but read below for downsides.  Because
struts heavily relies on forwards, if the Actions are not properly
configured and designed, you'll have security issues, with forwards not
being checked for authentication by the filter.

Ilya

-----Original Message-----
From: Steven Sajous
To: Struts Users Mailing List
Sent: 4/28/03 12:02 PM
Subject: RE: User authentication for a site

The JSP solution is not elegant at all. I really wanted to see what
different people were doing out there to handle authentication using
struts.
So far the web.xml --> filter is my favorite solution and is what had
been
using before ever using struts. Since struts seems to have something for
everything I wanted to see if there was something for this built in.

-----Original Message-----
From: Sterin, Ilya [mailto:Isterin@ciber.com]
Sent: Monday, April 28, 2003 1:54 PM
To: 'Steven Sajous '; 'Struts Users Mailing List '
Subject: RE: User authentication for a site


Filter of course is the best way.  Problem, that Servlet 2.3 specs do
not
allow filters to also authenticate forward actions, that request such
resources in need of authentication, so in reality, there would be some
ways
of accessing these resources if you are using forwards.  Though you
could
probably map your servlets and actions to be authenticated by dir.  So
say,
you can make a dir called "members" as a authentication filter, then
make
sure that all actions that that forward to anything in members dir, also
are
mapped to members dir.  In theory, it's possibly, IMO, but I haven't
tried
it.

The new tomcat 5 and servlet 2.4 spec, authenticates the forwards as
well,
so unless you are using the 2.4 container, you might have to try above.

Another way, would be to insert a customer authentication tag/code in
each
servlet/jsp page which needs it, but I find that a horrible solution,
extendibility and maintenability wise.

Ilya

-----Original Message-----
From: Steven Sajous
To: Struts Users Mailing List
Sent: 4/28/03 11:02 AM
Subject: User authentication for a site

I have a site that has areas that require that a user is logged in. What
is
the best way to do this with strust?

I thought of doing it in my filter then decided that I would be better
off
doing it in my web.xml. Is there a way built into struts however to take
care of that? We have just started using the struts framework a couple
of
weeks ago and would like to use everything it has to offer that we might
not
have discovered yet.

Thanks


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org