File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Struts and the fly likes Authentication Interceptor... Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Authentication Interceptor..." Watch "Authentication Interceptor..." New topic

Authentication Interceptor...

Gopi Chand

Joined: Feb 04, 2007
Posts: 24
I was reading this book "Struts 2 in Action" and in chapter six of that book, the author has explained about the use of user-define interceptor, which the author demonstrates by using it to validate
the user. The interceptor, simply checks for user in the session map, if not represents direct the user to login page. But I have a doubt in the robustness of the solution, because most of the
action simply diverts the user to an existing jsp page, if the user some how manages to guess the jsp pages, then our security goes for a toss..

Should I consider it just an example or interceptor can actually be used to provide flawless security.. if so how?

experts please voice your view..

David Newton

Joined: Sep 29, 2008
Posts: 12617

If the pages are under /WEB-INF then they can't be accessed directly.

That aside, the code in almost *any* book should be taken as an example only: it's being used to teach the framework, not necessarily teach every single best practice possible, which wouldn't be practical.
I agree. Here's the link:
subject: Authentication Interceptor...
It's not a secret anymore!