File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Struts and the fly likes Struts bookmark question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Struts bookmark question" Watch "Struts bookmark question" New topic

Struts bookmark question

Ben Hagadorn

Joined: Mar 28, 2006
Posts: 25
I�m a struts neophyte, so be gentle...

I have a �secure� jsp page that should only be accessible to users with certain privileges. All of the security works fine until I bookmark this page and then exit the web site. If I then select my bookmark I�m taken right back to the secure page even though I am no longer logged in.

I have my own Custom Request Processor which extends RequestProcessor:

<set-property property="processorClass"

In the processPreprocess method of my Custom Request Processor I check the servlet path and redirect the user to the login page if they are not already logged in. I also have debug in this method that writes a message to the console so I know when this method is executed.

In addition, the action class that I wrote that handles forwards to my secure page also has debug that writes a message to the console so I know when this method is executed as well.

That said, this is what I see�

1) I log in to my web site.
2) I select the link that takes me to my secure page.
3) I get the debug message indicating that my Custom Request Processor has executed.
4) I get the debug message indicating that my action class has executed
5) The secure page is displayed.

Now, when I log out of the application and select my bookmark I see�

1) The secure web page is displayed even though I am not logged into the web site.
2) I get NO debug messages from either the Custom Request Processor or the Action.

What am I doing wrong? Any help would be GREATLY appreciated.


- Ben Hagadorn
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
It sounds like you may not be following one of the cardinal rules of writing a Struts application: Never call a JSP directly. Only call actions that in turn forward to JSPs.

If you follow this rule, every page will show as the URL instead of myJSP.jsp. If the user bookmarks a JSP, the JSP will be displayed without going through Struts at all. If you follow the above rule, the only thing that a user can bookmark will be an action, which means that all of your security measures will get called before a user can enter the system.

If you want an added measure of security, you may want to prevent a user from calling a JSP directly at all. One way to do this is to put all your JSPs under the WEB=INF/ directory. Another is to provide a servlet filter that calls an error page for any URLs ending in .jsp.

This problem can also be caused by specifying redirect="true" in your forwards. Make sure this is not specified for any of your forwards.

Consultant, Sima Solutions
Ben Hagadorn

Joined: Mar 28, 2006
Posts: 25
I'm not calling any JSP pages directly. The funny thing is that I have one bookmark that displays the page (which it should not), and one that correctly sends me to the login page.

good bookmark = "http://localhost:8080/EELS/"
bad bookmark = "http://localhost:8080/EELS/"

I'll keep digging, but thanks for the help!
Brent Sterling
Ranch Hand

Joined: Feb 08, 2006
Posts: 948
Could it be a brower cache issue? Try clearing your cache first and see if that makes a difference?

- Brent
I agree. Here's the link:
subject: Struts bookmark question
It's not a secret anymore!