Martin, I could be reading his question wrong, but I think he is trying to limit POSTs/GETs of his actions so that they only come from the JSPs that he intends. This is a harder problem than it seems. My gut response was to tell him to check out HDIV, but I'm not sure whether that is built-in functionality they advertise. If this were a requirement for me, I'd look into writing an interceptor that checks the HTTP_REFERER and USER_AGENT, but even that is not going to be a full-proof solution. I think the nature of HTTP is that you can't fully enforce it.
Another solution would be to try to generate a random token that your form retrieves via AJAX and sets to a hidden field. Then, validate the token in your method before proceeding. This would take care of most use-cases, but it might introduce other problems (users with noscript). What is the purpose of tying the OP's users directly to the forms? Is it a security concern, or is there another reason? -- Wes Wannemacher Author - Struts 2 In Practice Includes coverage of Struts 2.1, Spring, JPA, JQuery, Sitemesh and more http://www.manning.com/wannemacher On Friday 23 January 2009 21:23:09 Martin Gainty wrote: > I can think of 2 security implementations: > 1)Portlets (Jetspeed or Plumtree comes to mind) > 2)implement either JNDI/JDBC/or MemoryRealm > http://tomcat.apache.org/tomcat-4.1-doc/catalina/funcspecs/fs-memory-realm. >html > > HTH > Martin > ______________________________________________ > Disclaimer and confidentiality note > Everything in this e-mail and any attachments relates to the official > business of Sender. This transmission is of a confidential nature and > Sender does not endorse distribution to any party other than intended > recipient. Sender does not necessarily endorse content contained within > this transmission. > > > From: a.sy...@ucl.ac.uk > > To: user@struts.apache.org > > Subject: Only call actions from certain forms > > Date: Fri, 23 Jan 2009 23:19:34 +0000 > > > > Hi all, > > > > My forms all submit to a different action than that which renders the > > pages. > > > > Is there a recommended way to prevent/mitigate the effect of users > > directly calling the actions (via their URL) that forms are submitted > > to? In this case, the actions' fields are null, which is somewhat > > irritating in an action method that has associated validation.. > > > > Andy. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > For additional commands, e-mail: user-h...@struts.apache.org > > _________________________________________________________________ > Windows Liveā¢: E-mail. Chat. Share. Get more ways to connect. > http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t2_allup_explore_012009 --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
