Rule Definition
A good implementation of an MVC model means no calls from one Page to another. In addition, the user's permissions that go to the target JSP page cannot be checked (if applicable).
Remediation
To avoid these issues, always go from one JSP page to another through an Action class and action-mappings (in case of struts 1.x) or action (in case of struts 2.x).
Violation Code Sample
// Sample.jsp
<%
response.sendRedirect("myPage.jsp"); // VIOLATION
%>
<%
pageContext.forward( "myPage.jsp" ); // VIOLATION
%>
<jsp:forward page= 'myPage.jsp' /> // VIOLATION
Fixed Code Sample
Sample.jsp
<%
response.sendRedirect("Example.do"); // FIXED
%>
<%
pageContext.forward( "Example.do" ); // FIXED
%>
<jsp:forward page= 'Example.do' /> // FIXED
// implement the flow into the struts-config.xml file:
<action path="/Example"
type="strutsSample.SampleAction">
<forward name="success" path="/myPage.jsp"/>
</action>
// And in the action class:
public class SampleAction extends Action {
public ActionForward execute(
ActionMapping mapping,
ActionForm form,
HttpServletRequest request,
HttpServletResponse response)
throws Exception {
return mapping.findForward("success");
}
}
Reference
Professional Jakarta Struts (ISBN: 0764544373): Chapter 5: Advanced Action Classes
http://flylib.com/books/en/2.574.1.22/1/
Related Technologies
JEE
Technical Criterion
Architecture - Multi-Layers and Data Access
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.