Security in Struts using Tiles

Discussions

Web tier: servlets, JSP, Web frameworks: Security in Struts using Tiles

  1. Security in Struts using Tiles (2 messages)

    I'm making a webapp with Struts and I'm using Tiles for layout. To check if a user is logged in, I have a tag on top of the tiles layout checking if the user is logged in. This is working fine as long as the user don't type in the source address to the diffenent tiles pieces. Is it possible to restrict access to pages only accessed through a tiles layout?

    So when a user type in index.do this is ok, because index.do implements a layout consisting of header.jsp, menu.jsp, content.jsp and footer.jsp.

    It should not be possible to access content.jsp directly. Possible?
  2. Hi
    I think you should use a Filter that enforces the restrictions you are looking for. If the requested resource is not acsible the request is forwarded to an 'access denied' page. These restrictions are done by checking if there is a user logged in and/or user roles. You can externalize these restrictions in a config file. Also, you may want that somr of your JSPs be accesible throught forwards inside the container, but not accesible when directly requested by the user. You should check your server documentation on how the filtering is done. For example Tomcat filters request that come only from the user browser, but Oracle9i also filters the forwards inside the servlet container. However, if you have an J2EE 1.4 compliant server you can use this new configuration in your web.xml:
    ....
    <filter-mapping>
        <filter-name>AccessFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatch>REQUEST</dispatch>
    </filter-mapping>
    ...
    Best regards, Mircea
  3. Security in Struts using Tiles[ Go to top ]

    You can also put yours jsp inside de WEB-INF directory, and a jsp out of it that insert the definition. The pages under the web-inf are not visible externally just by servlets. Using filter can be a good thing too ...