> -----Original Message----- > From: Steven Leija [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 25, 2004 2:15 PM > To: Struts Users Mailing List > Subject: RE: Question about authentication > > > I'm currently running into the same situation. If you added > to your web-inf directory. Do you just create a dir called > "jsp"? and treat that as your root? Is there any sort of > special path or configuration needed for this? I'm using Tomcat 5.0.
No special configuration needed you forward to /WEB-INF/jsp/yourpage.jsp. Any Servlet or JSP can access anything in WEB-INF. The only thing to remember is you cannot type in the jsp from the browser, you have to go through an action. Which is what ForwardAction is for :) If you don't like this, you could incorporate container managed security to restrict all *.jsp to a dummy role. > > Thanks, > > Steven > > > > Hi > > I am going to use custom tags for checking > > access to Jsp, if no user/bean bean in session, > > then direct to login page. > > > > And I am also going to check admin bean again > > in Action before invoking life cycle methods > > on business beans. > > > > Now am I over kill with authentication?? > > Way overkill. Put your jsps in WEB-INF, and no one can > get at them. If your container is new enough to handle > filters, use them instead. Otherwise, use a > BaseSecurityAction that overrides execute, does the check and > then calls whateverYouWantForYourActualExecutionCode( same > params as execute). > > > > > I mean, if all JSP pages that require user/admin > > access has custom tag that check for access > > at top, then i don't really need to check > > for authentication in Action classess. > > You shouldn't allow access to your jsp pages. > > > > > But it may also be good practice to double check > > for whatever reason. > > > > Just curious what's the usual practice u ppl do. > > > > Thanks > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
