----- Original Message ----- From: "David Suarez" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Friday, August 27, 2004 2:35 AM Subject: RE: Question about authentication
> My question is, does it really matter? Does it really represent a > security issue? Ummm I think it does, through bad design and coding. As I just found out yesterday that I can copy and past a link from an admin JSP page to a new browser, press enter, then files stored on server listed on page. I was surprised since bean shud be empty and I didn't log in 1st but .... it's not my fault, it's struts fault. Yes, it's due to bad coding and design but I would get away with these if I simply restrict access to JSP using declarative authentication in whatever ... BTW, in case u wandering what I did wrong, I basically use ProcessAction to execute business bean that doesn't require a form bean for input but return form bean to populate table in JSP, so ... yeah I get lucky. > Am I missing something? Does viewing a page structure with no data > represent a security issue? You never know, they are out there to get u. > Regards...djsuarez Regards ;p --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
