You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by David Thielen <da...@windward.net> on 2006/01/19 23:13:45 UTC
struts/jsp security/access question
Hi;
I have a page admin.jsp that if a user is not an admin, they should never
see. I can make the standard way to get there be admin.do but that just
invites a hacker to type in admin.jsp, so I still have to insure that
requests for admin.jsp are redirected for non admin users.
Each page (jsp) and it's Action class know who is allowed in. So I would
like to handle this in one of these two places. But the only two solutions I
have come up with are:
1. A filter with all pages and who can access them in that one class -
dangerous because a new page can get added and the developer forgets to add
it to the authorization class.
2. We have jsp pages that just do a check and redirect if the user is
not authorized. We then include the appropiate one at the top of each jsp
page. This works great if there are a small set of authorizations (this is
what I used before - every user was one of 3 types). However, it breaks down
for more than a couple of pre-defined authorization groups.
3. All pages are accessed via preAction -> jsp -> submitAction. The
preAction sets a session attribute to the name of the jsp. The jsp page at
the top checks this attribute and if it is not it's name, it redirects to
the home page. As a session attribute, as soon as the user goes to another
preAction, they can't go back to the previous jsp. So it forces the
pre/jsp/submit ordering. The downside to this is the back button will be
limited to the jsp page that the global attribute is set to, not going back
further.
Any other approaches?
Thanks - dave
David Thielen
www.windwardreports.com
303-499-2544
Re: struts/jsp security/access question
Posted by Dave Newton <ne...@pingsite.com>.
Leon Rosenberg wrote:
> 4. put all jsps under WEB-INF so they are NOT accessable via url.
> always link urls to actions and forward to jsps. Make a simply forward
> action (the only line: return mapping.findForward("success"); ) for
> jsp which do not need any preprocessing
>
Or use the action mapping 'forward' property and avoid writing the
action at all ;)
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: struts/jsp security/access question
Posted by David Thielen <da...@windward.net>.
Because none of the books and articles I have seen mention it???
Thank you - that is a very clean solution.
Thanks - dave
David Thielen
www.windwardreports.com
303-499-2544
-----Original Message-----
From: Leon Rosenberg [mailto:rosenberg.leon@googlemail.com]
Sent: Thursday, January 19, 2006 3:36 PM
To: Struts Users Mailing List
Subject: Re: struts/jsp security/access question
4. put all jsps under WEB-INF so they are NOT accessable via url.
always link urls to actions and forward to jsps. Make a simply forward
action (the only line: return mapping.findForward("success"); ) for
jsp which do not need any preprocessing
regards
Leon
On 1/19/06, David Thielen <da...@windward.net> wrote:
> Hi;
>
>
>
> I have a page admin.jsp that if a user is not an admin, they should never
> see. I can make the standard way to get there be admin.do but that just
> invites a hacker to type in admin.jsp, so I still have to insure that
> requests for admin.jsp are redirected for non admin users.
>
>
>
> Each page (jsp) and it's Action class know who is allowed in. So I would
> like to handle this in one of these two places. But the only two solutions
I
> have come up with are:
>
> 1. A filter with all pages and who can access them in that one class
-
> dangerous because a new page can get added and the developer forgets to
add
> it to the authorization class.
> 2. We have jsp pages that just do a check and redirect if the user is
> not authorized. We then include the appropiate one at the top of each jsp
> page. This works great if there are a small set of authorizations (this is
> what I used before - every user was one of 3 types). However, it breaks
down
> for more than a couple of pre-defined authorization groups.
> 3. All pages are accessed via preAction -> jsp -> submitAction. The
> preAction sets a session attribute to the name of the jsp. The jsp page at
> the top checks this attribute and if it is not it's name, it redirects to
> the home page. As a session attribute, as soon as the user goes to another
> preAction, they can't go back to the previous jsp. So it forces the
> pre/jsp/submit ordering. The downside to this is the back button will be
> limited to the jsp page that the global attribute is set to, not going
back
> further.
>
>
>
> Any other approaches?
>
>
>
> Thanks - dave
>
>
>
>
>
> David Thielen
>
> www.windwardreports.com
>
> 303-499-2544
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: struts/jsp security/access question
Posted by Leon Rosenberg <ro...@googlemail.com>.
4. put all jsps under WEB-INF so they are NOT accessable via url.
always link urls to actions and forward to jsps. Make a simply forward
action (the only line: return mapping.findForward("success"); ) for
jsp which do not need any preprocessing
regards
Leon
On 1/19/06, David Thielen <da...@windward.net> wrote:
> Hi;
>
>
>
> I have a page admin.jsp that if a user is not an admin, they should never
> see. I can make the standard way to get there be admin.do but that just
> invites a hacker to type in admin.jsp, so I still have to insure that
> requests for admin.jsp are redirected for non admin users.
>
>
>
> Each page (jsp) and it's Action class know who is allowed in. So I would
> like to handle this in one of these two places. But the only two solutions I
> have come up with are:
>
> 1. A filter with all pages and who can access them in that one class -
> dangerous because a new page can get added and the developer forgets to add
> it to the authorization class.
> 2. We have jsp pages that just do a check and redirect if the user is
> not authorized. We then include the appropiate one at the top of each jsp
> page. This works great if there are a small set of authorizations (this is
> what I used before - every user was one of 3 types). However, it breaks down
> for more than a couple of pre-defined authorization groups.
> 3. All pages are accessed via preAction -> jsp -> submitAction. The
> preAction sets a session attribute to the name of the jsp. The jsp page at
> the top checks this attribute and if it is not it's name, it redirects to
> the home page. As a session attribute, as soon as the user goes to another
> preAction, they can't go back to the previous jsp. So it forces the
> pre/jsp/submit ordering. The downside to this is the back button will be
> limited to the jsp page that the global attribute is set to, not going back
> further.
>
>
>
> Any other approaches?
>
>
>
> Thanks - dave
>
>
>
>
>
> David Thielen
>
> www.windwardreports.com
>
> 303-499-2544
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org