You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Todd Bryant <tb...@foundation.nebraska.edu> on 2004/04/07 23:13:40 UTC
RE: Problem with Formbean validate method forwarding to input pag
e
That is a good question. The problem is the way struts processes requests.
The first thing struts does when receiving a request to an action is to fill
in the formbean associated with the action. Then it runs the validate()
method of the formbean. If the method returns a non-empty ActionErrors
object, the request is forwarded to whatever is set as the "input" in the
struts config. If I set the "input" to the action, it will request that
action again, causing an infinite loop (requests to actions fill in the form
bean first, validate runs, send back to action, repeat).
Thinking just now, I would have to have an action for every jsp in my
application (A forwarding action if you will). This action would do nothing
but authenticate a user and then forward to the jsp. Then the jsp would
submit to a 'business' action that forwards back to the same jsp again (this
jsp has a form for user data AND displays info). I could set the "input" of
the formbean to the forwarding action. This would auth a user, but would not
cause a loop because the formbean would only be associated with the
"business" bean.
This plan sounds doable. I hope I made sense to anyone reading. If someone
else has any suggestions I would appreciate them.
-----Original Message-----
From: Tin Pham [mailto:ttpham3@learn.senecac.on.ca]
Sent: Wednesday, April 07, 2004 3:38 PM
To: user@struts.apache.org
Subject: Re: Problem with Formbean validate method forwarding to input page
If you are using struts, why go back to a .jsp page? You should be going
back to a .do page.
Since the .do is a struts action it will be able to get to your jsp page.
"Todd Bryant" <tb...@foundation.nebraska.edu> wrote in message
news:7904F603F8C1CB418A3502A527A743D42973EB@unfnd704nt.foundation.nebraska.e
du...
> I have need for every page in my web app to be secure. What I originally
did
> was extend the Action class to make a secure action class. The
> SecureAction's perform method validates that the user is logged in and if
> not, sends them to the login page. All actions in my app extend
> SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF,
> WEB-INF/jsp. This way a user cannot directly access any jsp. They can only
> be accessed through a forward in an action. This completely secures all
> resources in my application.
>
>
>
> This is where I run into a problem. If I use the validate() method of the
> formbean and it returns a non-empty ActionErrors object, then the request
is
> diverted to resource that is set as the "input", in this case a jsp.
Because
> of this, if a user were to put in some bogus field values in the url, she
> would be able to cause the formbean to no validate and get the jsp to
> display, bypassing the secure action. I can secure each jsp, but this is
> redundant if I have them in the WEB-INF folder in the first place. I would
> rather avoid this "fix".
>
>
>
> I know that overriding the default action class is a common way to secure
> your app as I have read about it more than one place, however, I have
never
> seen this problem addressed. Has anyone else ran across this problem
before
> and come up with a solution? Thanks in advance.
>
>
>
> Todd Bryant
>
> Programmer/Analyst
>
> University of Nebraska Foundation
>
> 402-472-0107
>
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org