You left container managed security off your list; that's the most
'standard' solution, but isn't necessarily the most portable since parts
are container implementation defined. A filter is probably the most
flexible alternative if container managed security isn't viable, but it
really depends on your exact security requirements.
This is a topic that's discussed alot, both here on the Struts lists,
and in other web development forums, so I'd recommend doing some reading
to get a feel for the solutions others have used and their tradeoffs.
L.
Thomas Hamacher wrote:
Hi everyone,
I think I have a very basic question here, but after spending some time with
google I haven´t found a real solution to this question: What is the best way
to secure a struts webapplication to be sure, that only logged in users are
allowed to do some special action and access some special pages?
I found 3 possibilities, from what some of them seem to be a solution from
older struts versions.
- Extend the RequestProcessor and do a programmatic security-check
- Use a Filter to do the security check
- Extend all Actions from a customized BaseAction, that does the security
check.
But all of this seems a bit strange to me. As security is a standard-problem
in every webapplication and there are a lot of people who thought about
solutions (JAAS) I can´t believe, that I have to extend the struts-framework
myself to provide some security issues.
So what would you recommend if you want to do a real secure application with
struts, together with tiles and want to be sure, that no pages or actions are
used without permission? And all of this independent, if I use a Tomcat, a
Resin or maybe a JBoss as my struts-web-server.
Do you have any informations, examples or URL´s who have a real solution to
this?
THank you very much
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
