my dog learned polymorphism
The moose likes Struts and the fly likes Struts bookmark question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Introducing JavaFX 8 Programming this week in the JavaFX forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Struts bookmark question" Watch "Struts bookmark question" New topic

Struts bookmark question

Ben Hagadorn

Joined: Mar 28, 2006
Posts: 25
I�m a struts neophyte, so be gentle...

I have a �secure� jsp page that should only be accessible to users with certain privileges. All of the security works fine until I bookmark this page and then exit the web site. If I then select my bookmark I�m taken right back to the secure page even though I am no longer logged in.

I have my own Custom Request Processor which extends RequestProcessor:

<set-property property="processorClass"

In the processPreprocess method of my Custom Request Processor I check the servlet path and redirect the user to the login page if they are not already logged in. I also have debug in this method that writes a message to the console so I know when this method is executed.

In addition, the action class that I wrote that handles forwards to my secure page also has debug that writes a message to the console so I know when this method is executed as well.

That said, this is what I see�

1) I log in to my web site.
2) I select the link that takes me to my secure page.
3) I get the debug message indicating that my Custom Request Processor has executed.
4) I get the debug message indicating that my action class has executed
5) The secure page is displayed.

Now, when I log out of the application and select my bookmark I see�

1) The secure web page is displayed even though I am not logged into the web site.
2) I get NO debug messages from either the Custom Request Processor or the Action.

What am I doing wrong? Any help would be GREATLY appreciated.


- Ben Hagadorn
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
It sounds like you may not be following one of the cardinal rules of writing a Struts application: Never call a JSP directly. Only call actions that in turn forward to JSPs.

If you follow this rule, every page will show as the URL instead of myJSP.jsp. If the user bookmarks a JSP, the JSP will be displayed without going through Struts at all. If you follow the above rule, the only thing that a user can bookmark will be an action, which means that all of your security measures will get called before a user can enter the system.

If you want an added measure of security, you may want to prevent a user from calling a JSP directly at all. One way to do this is to put all your JSPs under the WEB=INF/ directory. Another is to provide a servlet filter that calls an error page for any URLs ending in .jsp.

This problem can also be caused by specifying redirect="true" in your forwards. Make sure this is not specified for any of your forwards.

Consultant, Sima Solutions
Ben Hagadorn

Joined: Mar 28, 2006
Posts: 25
I'm not calling any JSP pages directly. The funny thing is that I have one bookmark that displays the page (which it should not), and one that correctly sends me to the login page.

good bookmark = "http://localhost:8080/EELS/"
bad bookmark = "http://localhost:8080/EELS/"

I'll keep digging, but thanks for the help!
Brent Sterling
Ranch Hand

Joined: Feb 08, 2006
Posts: 948
Could it be a brower cache issue? Try clearing your cache first and see if that makes a difference?

- Brent
I agree. Here's the link:
subject: Struts bookmark question
It's not a secret anymore!