<security-constraint> <web-resource-collection> <web-resource-name>noAccess</web-resource-name> <url-pattern>*.jsp</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
Erik
Steven Leija wrote:
I'm currently running into the same situation. If you added to your web-inf directory. Do you just create a dir called "jsp"? and treat that as your root? Is there any sort of special path or configuration needed for this? I'm using Tomcat 5.0.
Thanks,
Steven
Hi I am going to use custom tags for checking access to Jsp, if no user/bean bean in session, then direct to login page.
And I am also going to check admin bean again in Action before invoking life cycle methods on business beans.
Now am I over kill with authentication??
Way overkill. Put your jsps in WEB-INF, and no one can get at them. If your container is new enough to handle filters, use them instead. Otherwise, use a BaseSecurityAction that overrides execute, does the check and then calls whateverYouWantForYourActualExecutionCode( same params as execute).
> > I mean, if all JSP pages that require user/admin > access has custom tag that check for access > at top, then i don't really need to check > for authentication in Action classess.
You shouldn't allow access to your jsp pages.
> > But it may also be good practice to double check > for whatever reason. > > Just curious what's the usual practice u ppl do. > > Thanks > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
------------------------------------------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
