You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by mojoRising <jp...@averoinc.com> on 2008/03/12 17:30:25 UTC

authentication question

struts 2 - java - jsp
Hi. I am trying to configure an authentication/login interceptor. The idea
being of course being to prevent someone from accessing a page unless they
are logged in. We can assume that means they have a user object stored in
the session.
Now I understand how to plug in an interceptor to check for this, but what I
am missing is: How do I prevent someone from accessing a jsp page if they DO
NOT CALL an action, but type in the url themselves? E.g. If someone types in
http://www.mysite.com/pages/main.jsp how do I intercept that?
-- 
View this message in context: http://www.nabble.com/authentication-question-tp16006710p16006710.html
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: authentication question

Posted by Ian Roughley <ia...@fdar.com>.

The easiest way is to always have the user call an action to get a JSP, 
even if it is a simple page.  You then also ensure that all data 
necessary for that page has been obtained.  The, by placing the JSP's in 
the WEB-INF directory you will prevent access directly from a browser 
(only from the s2 dispatcher).

Otherwise, I would suggest a servlet filter or header code for all JSPs 
that make the necessary checks.

/Ian

-- 
Ian Roughley
>From Down & Around, Inc.
Consulting * Training / Mentoring * Agile Process * Open Source
web: http://www.fdar.com - email: ian@fdar.com

mojoRising wrote:
> struts 2 - java - jsp
> Hi. I am trying to configure an authentication/login interceptor. The idea
> being of course being to prevent someone from accessing a page unless they
> are logged in. We can assume that means they have a user object stored in
> the session.
> Now I understand how to plug in an interceptor to check for this, but what I
> am missing is: How do I prevent someone from accessing a jsp page if they DO
> NOT CALL an action, but type in the url themselves? E.g. If someone types in
> http://www.mysite.com/pages/main.jsp how do I intercept that?
>   

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: authentication question

Posted by Laurie Harper <la...@holoweb.net>.

Plus: nothing under WEB-INF can be referenced by a browser, so JSPs 
stored there can't be called directly.

Minus: nothing under WEB-INF can be referenced by a browser, so JSPs 
stored there can't be called directly... :-)

It depends on your requirements. But generally you will want to route 
requests for all but the simplest of pages through an action. By placing 
the corresponding JSP under WEB-INF, you ensure it can never be accessed 
*except* through an action.

L.

mojoRising wrote:
> Is this considered the Best Practice: Keeping all JSP's under the WEB-INF
> directory? We have not done that on my project, I am curious if there are
> plus' and minus' to this?
> 
> Thanks,
> John
> 
> 
> 
> The easiest way is to always have the user call an action to get a JSP, 
> even if it is a simple page.  You then also ensure that all data 
> necessary for that page has been obtained.  The, by placing the JSP's in 
> the WEB-INF directory you will prevent access directly from a browser 
> (only from the s2 dispatcher).
> 
> Otherwise, I would suggest a servlet filter or header code for all JSPs 
> that make the necessary checks.
> 
> /Ian
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: authentication question

Posted by Jeromy Evans <je...@blueskyminds.com.au>.


mojoRising wrote:
> Thanks. That's interesting. I am using Weblogic9.2, and I seem to have no
> problem using the request object in the jsp( for getParameter at least). I
> am wondering what type of request object manipulation, as you are referring
> to, may cause issues?
>
>
>
>   

I don't recall specifics any more, but it resulted in anchors like this: 
<a href="/WEB-INF/anotherjsp.jsp"> instead of <a href="/anotherjsp.jsp"> 
because of the way the path was constructed.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: authentication question

Posted by mojoRising <jp...@averoinc.com>.

Thanks. That's interesting. I am using Weblogic9.2, and I seem to have no
problem using the request object in the jsp( for getParameter at least). I
am wondering what type of request object manipulation, as you are referring
to, may cause issues?




Jeromy Evans - Blue Sky Minds wrote:
> 
> 
> The only issue I've experienced is when (bad) scriptets within the JSP 
> manipulate the request object directly, which is assumed to use the 
> /xxx.jsp URI but is actually /WEB-INF/results/xxx.jsp.
> 
> Many would argue that best practice is to not use JSPs at all.  Another 
> group would argue that Acegi should be used rather than rolling your own 
> filter.
> 
> Hope that helps.
> 
> mojoRising wrote:
>> Is this considered the Best Practice: Keeping all JSP's under the WEB-INF
>> directory? We have not done that on my project, I am curious if there are
>> plus' and minus' to this?
>>
>> Thanks,
>> John
>>
>>
>>
>> The easiest way is to always have the user call an action to get a JSP, 
>> even if it is a simple page.  You then also ensure that all data 
>> necessary for that page has been obtained.  The, by placing the JSP's in 
>> the WEB-INF directory you will prevent access directly from a browser 
>> (only from the s2 dispatcher).
>>
>> Otherwise, I would suggest a servlet filter or header code for all JSPs 
>> that make the necessary checks.
>>
>> /Ian
>>
>>   
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/authentication-question-tp16006710p16123101.html
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: authentication question

Posted by Mike Jennings <gj...@gmjjavadesigns.com>.

I use Acegi security to make sure that all of my pages are secure.  I 
find it very flexiable, but not always easy to configure.

If you are already using spring as you IoC, then you might as well take 
advantage of Acegi.

Jeromy Evans wrote:
> I've been told that some older containers don't allow you to forward to 
> JSP's behind /WEB-INF. It wouldn't surprise me.
> Other than that I've found Ian's suggestion to be the most effective way 
> to ensure users can't access JSPs directly, IMO a must for Tiles, html 
> fragments and any page using struts tags.
> 
> The only issue I've experienced is when (bad) scriptets within the JSP 
> manipulate the request object directly, which is assumed to use the 
> /xxx.jsp URI but is actually /WEB-INF/results/xxx.jsp.
> 
> Many would argue that best practice is to not use JSPs at all.  Another 
> group would argue that Acegi should be used rather than rolling your own 
> filter.
> 
> Hope that helps.
> 
> mojoRising wrote:
>> Is this considered the Best Practice: Keeping all JSP's under the WEB-INF
>> directory? We have not done that on my project, I am curious if there are
>> plus' and minus' to this?
>>
>> Thanks,
>> John
>>
>>
>>
>> The easiest way is to always have the user call an action to get a 
>> JSP, even if it is a simple page.  You then also ensure that all data 
>> necessary for that page has been obtained.  The, by placing the JSP's 
>> in the WEB-INF directory you will prevent access directly from a 
>> browser (only from the s2 dispatcher).
>>
>> Otherwise, I would suggest a servlet filter or header code for all 
>> JSPs that make the necessary checks.
>>
>> /Ian
>>
>>   
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> --------------------------------
> Spam/Virus scanning by CanIt Pro
> 
> For more information see
> http://www.kgbinternet.com/SpamFilter.htm
> 
> To control your spam filter, log in at
> http://filter.kgbinternet.com


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Execute method is not called

Posted by mojoRising <jp...@averoinc.com>.

I apologize for the vague nature of this question. To clarify, I have a login
page that works for the input method, but will not call the execute method.
I have logging comments that show that when I call the action for my form,
the prepare method fires, then the validate method completes(without
errors), and then it just stops...it never calls the execute method. Any
idea what could cause that? 

My form tag:
<s:form  validate="true" cssClass="goLoginTable" action="login_execute"
method="post" namespace="/pages" theme="goForm" >

My struts.xml file:

<package name="pages" namespace="/pages" extends="AveroSecure">	
        <action name="login_*" method="{1}" class="pages.Login">		
				  <interceptor-ref name="paramsPrepareParamsStack"/>		 
				  <result name="execute">/WEB-INF/pages/login.jsp</result>
				  <result name="input">/WEB-INF/pages/login.jsp</result>
				  <result name="error">/WEB-INF/pages/login.jsp</result>									  
				  <result name="success" type="redirect-action">
					  terms_input	
					   /userMgmt
					  true
					  true
					  login
				  </result>
				
        </action>
				
        <action name="*" class="pages.Support">
            <result>/WEB-INF/pages/{1}.jsp</result>
        </action>
        
        <action name="logout" class="pages.Logout">
            <result>/WEB-INF/pages/logout.jsp</result>
        </action>        
    </package>




mojoRising wrote:
> 
> I have moved all JSP's under WEB-INF directory (e.g.
> /WEB-INF/pages/login.jsp), and this solution seems to work perfectly on my
> local environment with exploded directory structure. However, Struts seems
> to not be working at all when we package and deploy an ear file (before I
> moved the jsp's it had been working with ear deployment)...I am still
> troubleshooting, but any ideas what could be the issue here?
> 
> Thanks
> 
> John
> 

-- 
View this message in context: http://www.nabble.com/authentication-question-tp16006710p16202155.html
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: authentication question

Posted by mojoRising <jp...@averoinc.com>.

I have moved all JSP's under WEB-INF directory (e.g.
/WEB-INF/pages/login.jsp), and this solution seems to work perfectly on my
local environment with exploded directory structure. However, Struts seems
to not be working at all when we package and deploy an ear file (before I
moved the jsp's it had been working with ear deployment)...I am still
troubleshooting, but any ideas what could be the issue here?

Thanks

John


Jeromy Evans - Blue Sky Minds wrote:
> 
> I've been told that some older containers don't allow you to forward to 
> JSP's behind /WEB-INF. It wouldn't surprise me.
> Other than that I've found Ian's suggestion to be the most effective way 
> to ensure users can't access JSPs directly, IMO a must for Tiles, html 
> fragments and any page using struts tags.
> 
> The only issue I've experienced is when (bad) scriptets within the JSP 
> manipulate the request object directly, which is assumed to use the 
> /xxx.jsp URI but is actually /WEB-INF/results/xxx.jsp.
> 
> Many would argue that best practice is to not use JSPs at all.  Another 
> group would argue that Acegi should be used rather than rolling your own 
> filter.
> 
> Hope that helps.
> 
> mojoRising wrote:
>> Is this considered the Best Practice: Keeping all JSP's under the WEB-INF
>> directory? We have not done that on my project, I am curious if there are
>> plus' and minus' to this?
>>
>> Thanks,
>> John
>>
>>
>> The easiest way is to always have the user call an action to get a JSP, 
>> even if it is a simple page.  You then also ensure that all data 
>> necessary for that page has been obtained.  The, by placing the JSP's in 
>> the WEB-INF directory you will prevent access directly from a browser 
>> (only from the s2 dispatcher).
>>
> 

-- 
View this message in context: http://www.nabble.com/authentication-question-tp16006710p16198339.html
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: authentication question

Posted by Jeromy Evans <je...@blueskyminds.com.au>.

I've been told that some older containers don't allow you to forward to 
JSP's behind /WEB-INF. It wouldn't surprise me.
Other than that I've found Ian's suggestion to be the most effective way 
to ensure users can't access JSPs directly, IMO a must for Tiles, html 
fragments and any page using struts tags.

The only issue I've experienced is when (bad) scriptets within the JSP 
manipulate the request object directly, which is assumed to use the 
/xxx.jsp URI but is actually /WEB-INF/results/xxx.jsp.

Many would argue that best practice is to not use JSPs at all.  Another 
group would argue that Acegi should be used rather than rolling your own 
filter.

Hope that helps.

mojoRising wrote:
> Is this considered the Best Practice: Keeping all JSP's under the WEB-INF
> directory? We have not done that on my project, I am curious if there are
> plus' and minus' to this?
>
> Thanks,
> John
>
>
>
> The easiest way is to always have the user call an action to get a JSP, 
> even if it is a simple page.  You then also ensure that all data 
> necessary for that page has been obtained.  The, by placing the JSP's in 
> the WEB-INF directory you will prevent access directly from a browser 
> (only from the s2 dispatcher).
>
> Otherwise, I would suggest a servlet filter or header code for all JSPs 
> that make the necessary checks.
>
> /Ian
>
>   

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: authentication question

Posted by mojoRising <jp...@averoinc.com>.

Is this considered the Best Practice: Keeping all JSP's under the WEB-INF
directory? We have not done that on my project, I am curious if there are
plus' and minus' to this?

Thanks,
John



The easiest way is to always have the user call an action to get a JSP, 
even if it is a simple page.  You then also ensure that all data 
necessary for that page has been obtained.  The, by placing the JSP's in 
the WEB-INF directory you will prevent access directly from a browser 
(only from the s2 dispatcher).

Otherwise, I would suggest a servlet filter or header code for all JSPs 
that make the necessary checks.

/Ian

-- 
View this message in context: http://www.nabble.com/authentication-question-tp16006710p16121577.html
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: authentication question

Posted by Ian Roughley <ia...@fdar.com>.

The easiest way is to always have the user call an action to get a JSP, 
even if it is a simple page.  You then also ensure that all data 
necessary for that page has been obtained.  The, by placing the JSP's in 
the WEB-INF directory you will prevent access directly from a browser 
(only from the s2 dispatcher).

Otherwise, I would suggest a servlet filter or header code for all JSPs 
that make the necessary checks.

/Ian

-- 
Ian Roughley
>From Down & Around, Inc.
Consulting * Training / Mentoring * Agile Process * Open Source
web: http://www.fdar.com - email: ian@fdar.com

mojoRising wrote:
> struts 2 - java - jsp
> Hi. I am trying to configure an authentication/login interceptor. The idea
> being of course being to prevent someone from accessing a page unless they
> are logged in. We can assume that means they have a user object stored in
> the session.
> Now I understand how to plug in an interceptor to check for this, but what I
> am missing is: How do I prevent someone from accessing a jsp page if they DO
> NOT CALL an action, but type in the url themselves? E.g. If someone types in
> http://www.mysite.com/pages/main.jsp how do I intercept that?
>   

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org