> -----Original Message----- > From: struts Dude [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 25, 2004 5:50 AM > To: Struts Users Mailing List > Subject: Question about authentication > > > Hi > I am going to use custom tags for checking > access to Jsp, if no user/bean bean in session, > then direct to login page. > > And I am also going to check admin bean again > in Action before invoking life cycle methods > on business beans. > > Now am I over kill with authentication??
Way overkill. Put your jsps in WEB-INF, and no one can get at them. If your container is new enough to handle filters, use them instead. Otherwise, use a BaseSecurityAction that overrides execute, does the check and then calls whateverYouWantForYourActualExecutionCode( same params as execute). > > I mean, if all JSP pages that require user/admin > access has custom tag that check for access > at top, then i don't really need to check > for authentication in Action classess. You shouldn't allow access to your jsp pages. > > But it may also be good practice to double check > for whatever reason. > > Just curious what's the usual practice u ppl do. > > Thanks > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
