• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Struts bookmark question

 
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I�m a struts neophyte, so be gentle...

I have a �secure� jsp page that should only be accessible to users with certain privileges. All of the security works fine until I bookmark this page and then exit the web site. If I then select my bookmark I�m taken right back to the secure page even though I am no longer logged in.

I have my own Custom Request Processor which extends RequestProcessor:

<controller>
<set-property property="processorClass"
value="med.va.gov.commonservices.eels.struts.CustomRequestProcessor"/>
</controller>


In the processPreprocess method of my Custom Request Processor I check the servlet path and redirect the user to the login page if they are not already logged in. I also have debug in this method that writes a message to the console so I know when this method is executed.

In addition, the action class that I wrote that handles forwards to my secure page also has debug that writes a message to the console so I know when this method is executed as well.

That said, this is what I see�

1) I log in to my web site.
2) I select the link that takes me to my secure page.
3) I get the debug message indicating that my Custom Request Processor has executed.
4) I get the debug message indicating that my action class has executed
5) The secure page is displayed.

Now, when I log out of the application and select my bookmark I see�

1) The secure web page is displayed even though I am not logged into the web site.
2) I get NO debug messages from either the Custom Request Processor or the Action.

What am I doing wrong? Any help would be GREATLY appreciated.

Thanks.

- Ben Hagadorn
 
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It sounds like you may not be following one of the cardinal rules of writing a Struts application: Never call a JSP directly. Only call actions that in turn forward to JSPs.

If you follow this rule, every page will show MyAction.do as the URL instead of myJSP.jsp. If the user bookmarks a JSP, the JSP will be displayed without going through Struts at all. If you follow the above rule, the only thing that a user can bookmark will be an action, which means that all of your security measures will get called before a user can enter the system.


If you want an added measure of security, you may want to prevent a user from calling a JSP directly at all. One way to do this is to put all your JSPs under the WEB=INF/ directory. Another is to provide a servlet filter that calls an error page for any URLs ending in .jsp.

This problem can also be caused by specifying redirect="true" in your forwards. Make sure this is not specified for any of your forwards.
 
Ben Hagadorn
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm not calling any JSP pages directly. The funny thing is that I have one bookmark that displays the page (which it should not), and one that correctly sends me to the login page.

good bookmark = "http://localhost:8080/EELS/systemUsers.do"
bad bookmark = "http://localhost:8080/EELS/configurationAdmin.do"

I'll keep digging, but thanks for the help!
 
Ranch Hand
Posts: 948
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Could it be a brower cache issue? Try clearing your cache first and see if that makes a difference?

- Brent
reply
    Bookmark Topic Watch Topic
  • New Topic