The options number 2 and 3 (filter and action) sound both very hale to me. If you just want to separate between logged in and not logged in users i would go for option 2. If you need fine-grained separation go for baseaction and make not only login check but also for action-dependant permissions.
regards Leon On 8/29/06, Thomas Hamacher <[EMAIL PROTECTED]> wrote:
Hi everyone, I think I have a very basic question here, but after spending some time with google I haven´t found a real solution to this question: What is the best way to secure a struts webapplication to be sure, that only logged in users are allowed to do some special action and access some special pages? I found 3 possibilities, from what some of them seem to be a solution from older struts versions. - Extend the RequestProcessor and do a programmatic security-check - Use a Filter to do the security check - Extend all Actions from a customized BaseAction, that does the security check. But all of this seems a bit strange to me. As security is a standard-problem in every webapplication and there are a lot of people who thought about solutions (JAAS) I can´t believe, that I have to extend the struts-framework myself to provide some security issues. So what would you recommend if you want to do a real secure application with struts, together with tiles and want to be sure, that no pages or actions are used without permission? And all of this independent, if I use a Tomcat, a Resin or maybe a JBoss as my struts-web-server. Do you have any informations, examples or URL´s who have a real solution to this? THank you very much Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
