You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by "Garner, Shawn" <sh...@pearson.com> on 2006/02/10 17:24:42 UTC

security struts action servlet

I was messing around with security in the web.xml and tried to implement
authorization restrictions with the struts-blank.war.

I put restrictions on the /pages/* directory.

Funny thing is that it seems that since the index.jsp does a redirect to the
pages directory and the action servlet does the mapping from welcome.do to
/pages/Welcome.jsp that I am not prompted for a username and password.

But if I literally type in /pages/Welcome.jsp into the browser it prompts me
for a password.

I read the servlet api but I couldn't find much to do with servlet security.

 

I wasn't sure how to get my action servlet to obey the /pages/* security
rule too.

 

Any help? 

 

Shawn


**************************************************************************** 
This email may contain confidential material. 
If you were not an intended recipient, 
Please notify the sender and delete all copies. 
We may monitor email to and from our network. 
****************************************************************************

Re: security struts action servlet

Posted by Craig McClanahan <cr...@apache.org>.

On 2/10/06, Garner, Shawn <sh...@pearson.com> wrote:
>
> I was messing around with security in the web.xml and tried to implement
> authorization restrictions with the struts-blank.war.
>
> I put restrictions on the /pages/* directory.
>
> Funny thing is that it seems that since the index.jsp does a redirect to
> the
> pages directory and the action servlet does the mapping from welcome.do to
> /pages/Welcome.jsp that I am not prompted for a username and password.


Are you sure it's doing a redirect?  If this were a forward, the symptom you
described would be the expected behavior, since security constraints are
only applied on the original request.

Craig

But if I literally type in /pages/Welcome.jsp into the browser it prompts me
> for a password.
>
> I read the servlet api but I couldn't find much to do with servlet
> security.
>
>
>
> I wasn't sure how to get my action servlet to obey the /pages/* security
> rule too.
>
>
>
> Any help?
>
>
>
> Shawn
>
>
>
> ****************************************************************************
> This email may contain confidential material.
> If you were not an intended recipient,
> Please notify the sender and delete all copies.
> We may monitor email to and from our network.
>
> ****************************************************************************
>
>