I was reading this book "Struts 2 in Action" and in chapter six of that book, the author has explained about the use of user-define interceptor, which the author demonstrates by using it to validate
the user. The interceptor, simply checks for user in the session map, if not represents direct the user to login page. But I have a doubt in the robustness of the solution, because most of the
action simply diverts the user to an existing jsp page, if the user some how manages to guess the jsp pages, then our security goes for a toss..
Should I consider it just an example or interceptor can actually be used to provide flawless security.. if so how?
If the pages are under /WEB-INF then they can't be accessed directly.
That aside, the code in almost *any* book should be taken as an example only: it's being used to teach the framework, not necessarily teach every single best practice possible, which wouldn't be practical.