I may be mis-reading the question but... why hide your jsp's from direct access? The actions should definitely check for security and it makes sense there but if your jsp's populate information from the form, wouldn't the jsp be empty/unusable anyway?..
The approach above is what I have used. Only protect the forms/actions. Empty jsp's I don't care about. Let me know why you think that this is bad security practice. Regards...djsuarez -----Original Message----- From: Jim Barrows [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 25, 2004 4:49 PM To: Struts Users Mailing List Subject: RE: Question about authentication > -----Original Message----- > From: Steven Leija [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 25, 2004 2:15 PM > To: Struts Users Mailing List > Subject: RE: Question about authentication > > > I'm currently running into the same situation. If you added > to your web-inf directory. Do you just create a dir called > "jsp"? and treat that as your root? Is there any sort of > special path or configuration needed for this? I'm using Tomcat 5.0. No special configuration needed you forward to /WEB-INF/jsp/yourpage.jsp. Any Servlet or JSP can access anything in WEB-INF. The only thing to remember is you cannot type in the jsp from the browser, you have to go through an action. Which is what ForwardAction is for :) If you don't like this, you could incorporate container managed security to restrict all *.jsp to a dummy role. > > Thanks, > > Steven > > > > Hi > > I am going to use custom tags for checking > > access to Jsp, if no user/bean bean in session, > > then direct to login page. > > > > And I am also going to check admin bean again > > in Action before invoking life cycle methods > > on business beans. > > > > Now am I over kill with authentication?? > > Way overkill. Put your jsps in WEB-INF, and no one can > get at them. If your container is new enough to handle > filters, use them instead. Otherwise, use a > BaseSecurityAction that overrides execute, does the check and > then calls whateverYouWantForYourActualExecutionCode( same > params as execute). > > > > > I mean, if all JSP pages that require user/admin > > access has custom tag that check for access > > at top, then i don't really need to check > > for authentication in Action classess. > > You shouldn't allow access to your jsp pages. > > > > > But it may also be good practice to double check > > for whatever reason. > > > > Just curious what's the usual practice u ppl do. > > > > Thanks > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
