• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

security problem

 
Ranch Hand
Posts: 152
Eclipse IDE Chrome Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i have developed a web application using struts. I deployed it on tomcat5.5 on linux redhat. The problem is that the user can go to any page without even logging in. Its like if he enters http://myapp:8080/login.jsp it will take him to login.jsp page if he enters http://myapp:8080/xyz.jsp then also it opens that page. which is wrong actually it should redirect him to the login page. only if the user is authenticated then only he can go to that page using proper link how to handle this condition? any suggestions and hints will be greatly appreciated.
 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi!

First, you have to consider storing all jsp file inside a directory like this �/ /WebContent/WEB-INF/jsp/ to avoid direct request to jsp, you can access jsp via an action mapping:

<action path="/viewLogin"
type="org.apache.struts.actions.ForwardAction"
parameter="/WEB-INF/jsp/login.jsp" />

or

<action path="/viewLogin"
forward="/WEB-INF/jsp/login.jsp"/>

Remember, to ensure MVC every request must go through request processor, and this way you can implement more complex authentication and authorization levels of security.

Second, are you using container or application-managed security? Are you using filters, custom request processor, base action or custom tag?

Check O�Reilly Jakarta Struts Cookbook, there is a complete chapter about securing struts applications.
reply
    Bookmark Topic Watch Topic
  • New Topic