RE: Problem with Formbean validate method forwarding to input pag e

[Todd Bryant <tb...@foundation.nebraska.edu>]

Excellent idea Ray. I just need to set the validate param in the web.xml for
the action servlet to false. Then I am good. 

Thanks Ray, sometimes you just can't see the simple solutions when they are
right in front of you.
 

-----Original Message-----
From: Ray Madigan [mailto:ray@madigans.org] 
Sent: Wednesday, April 07, 2004 5:39 PM
To: Struts Users Mailing List; paul.barry@nyu.edu
Subject: RE: Problem with Formbean validate method forwarding to input pag e

Why don't you tell your action not to validate, and call validate yourself
in your action.  Seems like you will have all of the control you need.

-----Original Message-----
From: Paul Barry [mailto:paul.barry@nyu.edu]
Sent: Wednesday, April 07, 2004 3:18 PM
To: Struts Users Mailing List
Subject: Re: Problem with Formbean validate method forwarding to input
pag e


The form bean is populated by the RequestProcessor, but you can put your
logic to validate the session where ever you want.  The easiest way to
understand it is to just look at the source code for
org.apache.struts.action.RequestProcessor.  It has a number of
processXXX methods, one being processPreprocess.  You might want to put
your session validation there, which does it before the bean is
instatiated, populated and validated and before processActionPerform is
called.



Todd Bryant wrote:

> Interesting. I have never looked at the request processor before. The main
> question I have is - is the formbean populated BEFORE the request
processor
> runs or after? If the form bean is populated before the method you
mention,
> then the request process will still be circumvented by the formbean.
>
> -----Original Message-----
> From: Paul Barry [mailto:paul.barry@nyu.edu]
> Sent: Wednesday, April 07, 2004 4:47 PM
> To: Struts Users Mailing List
> Subject: Re: Problem with Formbean validate method forwarding to input
page
>
> Maybe you should be handling your security in the request processor.
> Have a method like this:
>
> protected ActionForward processActionPerform(
>          HttpServletRequest request,
>          HttpServletResponse response,
>          Action action,
>          ActionForm form,
>          ActionMapping mapping)
>          throws IOException, ServletException {
>      try {
>          validSession(request);
>          return (action.execute(mapping, form, request, response));
>      } catch (SecurityException e) {
>          return (processException(request, response,e, form, mapping));
>      }
> }
>
> Where validateSession throws a SecurityException if the user is not
> logged in and processException knows where to send the user to log in.
> There are different ways to do it, but the basic principle is to
> authenticate the user's session before the Action executes, so you don't
> have to worry about that in the Action.
>
> Todd Bryant wrote:
>
>
>>That is a good suggestion, and I had thought of that, but the problem is
>>that a user would have to go from the error page back to the page they
>
> were
>
>>on. This would make it prohibitively difficult to interact with this
>>particular app (too many clicks).
>>
>>-----Original Message-----
>>From: Paul Barry [mailto:paul.barry@nyu.edu]
>>Sent: Wednesday, April 07, 2004 4:07 PM
>>To: Struts Users Mailing List
>>Subject: Re: Problem with Formbean validate method forwarding to input
>
> page
>
>>Make your input action an error page, which just has the error and no
>>sensitive data and make a success forward that you only send the user to
>>if everything checks out.
>>
>>Todd Bryant wrote:
>>
>>
>>
>>>I have need for every page in my web app to be secure. What I originally
>>
>>did
>>
>>
>>>was extend the Action class to make a secure action class. The
>>>SecureAction's perform method validates that the user is logged in and if
>>>not, sends them to the login page. All actions in my app extend
>>>SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF,
>>>WEB-INF/jsp. This way a user cannot directly access any jsp. They can
only
>>>be accessed through a forward in an action. This completely secures all
>>>resources in my application.
>>>
>>>
>>>
>>>This is where I run into a problem. If I use the validate() method of the
>>>formbean and it returns a non-empty ActionErrors object, then the request
>>
>>is
>>
>>
>>>diverted to resource that is set as the "input", in this case a jsp.
>>
>>Because
>>
>>
>>>of this, if a user were to put in some bogus field values in the url, she
>>>would be able to cause the formbean to no validate and get the jsp to
>>>display, bypassing the secure action. I can secure each jsp, but this is
>>>redundant if I have them in the WEB-INF folder in the first place. I
would
>>>rather avoid this "fix".
>>>
>>>
>>>
>>>I know that overriding the default action class is a common way to secure
>>>your app as I have read about it more than one place, however, I have
>>
>>never
>>
>>
>>>seen this problem addressed. Has anyone else ran across this problem
>>
>>before
>>
>>
>>>and come up with a solution? Thanks in advance.
>>>
>>>
>>>
>>>Todd Bryant
>>>
>>>Programmer/Analyst
>>>
>>>University of Nebraska Foundation
>>>
>>>402-472-0107
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>For additional commands, e-mail: user-help@struts.apache.org
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>For additional commands, e-mail: user-help@struts.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org