I have a �secure� jsp page that should only be accessible to users with certain privileges. All of the security works fine until I bookmark this page and then exit the web site. If I then select my bookmark I�m taken right back to the secure page even though I am no longer logged in.
I have my own Custom Request Processor which extends RequestProcessor:
In the processPreprocess method of my Custom Request Processor I check the servlet path and redirect the user to the login page if they are not already logged in. I also have debug in this method that writes a message to the console so I know when this method is executed.
In addition, the action class that I wrote that handles forwards to my secure page also has debug that writes a message to the console so I know when this method is executed as well.
That said, this is what I see�
1) I log in to my web site. 2) I select the link that takes me to my secure page. 3) I get the debug message indicating that my Custom Request Processor has executed. 4) I get the debug message indicating that my action class has executed 5) The secure page is displayed.
Now, when I log out of the application and select my bookmark I see�
1) The secure web page is displayed even though I am not logged into the web site. 2) I get NO debug messages from either the Custom Request Processor or the Action.
What am I doing wrong? Any help would be GREATLY appreciated.
It sounds like you may not be following one of the cardinal rules of writing a Struts application: Never call a JSP directly. Only call actions that in turn forward to JSPs.
If you follow this rule, every page will show MyAction.do as the URL instead of myJSP.jsp. If the user bookmarks a JSP, the JSP will be displayed without going through Struts at all. If you follow the above rule, the only thing that a user can bookmark will be an action, which means that all of your security measures will get called before a user can enter the system.
If you want an added measure of security, you may want to prevent a user from calling a JSP directly at all. One way to do this is to put all your JSPs under the WEB=INF/ directory. Another is to provide a servlet filter that calls an error page for any URLs ending in .jsp.
This problem can also be caused by specifying redirect="true" in your forwards. Make sure this is not specified for any of your forwards.