We are developing an application in Struts. I am building a security component. This component will make sure that a logged-in user will be given access to components based on their role. Appropriate messages will be displayed alerting the user with denied access to certain parts of the application if their role does not have the privileges to access it.

Here is what is happening:

1. There is a menu called Admin Setup. When a user with role Guest tries to access this Admin component, the user is denied access. This works.

2. When a user with admin role accesses this menu, the user is given access to it. This works too.

Both above cases 1. and 2., the program goes through the action class associated with the admin Setup, where it is checked to see if the logged-in user has access to the admin component.

Now if I copy the url that gives me access to the admin menu and login again as the guest and paste the url in the browser, I get access to the component when I am not supposed to get access. While debugging I see that the program does not go into the action class to do the check as it does before. Why?

I am not passing any user information in the url but upon logon I store the userid and role in the session.

What is happening here? Am I missing something?

Any help will be much appreciated.

Thanks.

TD