You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Legolas Woodland <le...@gmail.com> on 2005/10/09 23:13:38 UTC
What is best practice for securing an struts based web application?
Hi
Thank you for reading my mail.
I used a simple login page + add a session variable after loged in
to check the security of my system . the login page test and if the session
variable be present it shows some other links like : edit profile , orders
,.. and if the session variable is not present it will show the
user/password dialog.
all other pages check the same thing before they do any job
i store user name and passwords into database .
Is it the correct way ? is there any framework , tag library.... that make
the job easier and more advanced looking ?
thank you
Re: What is best practice for securing an struts based web application?
Posted by Wendy Smoak <ja...@wendysmoak.com>.
From: "Legolas Woodland" <le...@gmail.com>
> I used a simple login page + add a session variable after loged in
> to check the security of my system . the login page test and if the
> session variable be present it shows some other links like : edit profile
> , orders
> ,.. and if the session variable is not present it will show the
> user/password dialog.
> all other pages check the same thing before they do any job
> i store user name and passwords into database .
> Is it the correct way ? is there any framework , tag library.... that
> make the job easier and more advanced looking ?
If you want to take advantage of the 'user roles' of container managed
security, for example with the Struts <logic:present role="..."> tag or
Struts Menu to conditionally display menu items based on roles, here are a
couple of options:
With the user information already in a database, you might want to use
JDBCRealm or DataSourceRealm:
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html
Another way is to put a Filter in front of your webapp and wrap the request
so you have control of the 'isUserInRole' method. There is some information
here...
http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatRequestWrapper
There are other options... which one is best depends on your requirements.
If you don't expect this to get more complex than "logged in or not" then
what you're doing now with putting a 'user' object in the session is fine.
HTH,
--
Wendy Smoak
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org