Hi,
There are many examples available on the web.
Try this http://struts.sourceforge.net/community/tutorials.html
If you mean Struts Validator plugin, I think login is not the best example
because Validator Plugins is about format of input .Validate a login
will generally access database to know
One idea
The third time the login fails, register the time for that user.
When a login gets executed, if the last registered time for the given user
is less than the time interval you want - the login always fails.
The user must have something like:
User : id || login | password |
You could put a cookie on the user's machine that expires after a certain
period of time. Of course this only works when cookies are turned one and
an experienced user could always manually remove their cookie.
Another solution maybe is to get the user's IP address from the request
Header and
BDY.RTF
Description: RTF file
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
and comparing it to the current time.
That way, I wont be using cookies, and will avoid blocking IP address.
Does that sound ok?
Ciaran
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 16 December 2003 20:46
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Login
: Tuesday, December 16, 2003 3:43 PM
To: 'Struts Users Mailing List'
Subject: RE: Login Security
I am storing the username and password in a table in a mySql database.
I think I will just add a field last_failure to the user table... and
after 3 unsuccessful attempts I will record the time
Btw, remember to flush the map for that username when they are able to login
successfully.
-Original Message-
From: Hookom, Jacob [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 16, 2003 3:46 PM
To: Struts Users Mailing List
Subject: RE: Login Security
Do a HashMap in the action:
Key
:[EMAIL PROTECTED]
Sent: 16 December 2003 20:46
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Login Security
Avoid the cookie solution, it's too easy for the user to bypass your
security measures and as mentioned below, this solution won't work if
the browser has disabled cookies
[EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED]
Sent: Tuesday, December 16, 2003 10:46 PM
Subject: RE: Login Security
Do a HashMap in the action:
Key is username
Value is Integer or Date
If ((value = map.get(key)) != null)
{
if (value instanceof Date)
{
// compare timeout
10:46 PM
Subject: RE: Login Security
Do a HashMap in the action:
Key is username
Value is Integer or Date
If ((value = map.get(key)) != null)
{
if (value instanceof Date)
{
// compare timeout dates
}
else if (value instanceof Integer)
{
if (value == 3)
{
map.put
You could apply what I described by defining the key as username+@+ip
Good idea!
-Original Message-
From: Janusz Dziadon [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 16, 2003 4:20 PM
To: Struts Users Mailing List
Subject: Re: Login Security
I think, that you should register
: Tuesday, December 16, 2003 10:46 PM
Subject: RE: Login Security
Do a HashMap in the action:
Key is username
Value is Integer or Date
If ((value = map.get(key)) != null)
{
if (value instanceof Date)
{
// compare timeout dates
}
else if (value instanceof
of maybe storing ip addresses, (though
a malicious user could spoof these).
regards
Ajay
From: Janusz Dziadon [EMAIL PROTECTED]
Reply-To: Struts Users Mailing List [EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED]
Subject: Re: Login Security
Date: Tue, 16 Dec 2003 23:43:41 +0100
1
isn't it should be better to put his verification at actions? maybe a
common super action could validade it, but I think that the jsp should
be the last place to put it. Ideally, the jsp's are not even exposed to
clients, making the access the view only through actions.
David Thielen wrote:
Hi Dave,
You have more choices to do user authentication, depending on your
application's need, your experience and determination :)
1. you can put it in every jsp but just think at the maintenance. Having
to modify all those jsp for one little change is not that fun.
2. If you use struts you
a unique
test and forward to.
Any good ideas for this situation?
thanks - dave
- Original Message -
From: Cezar Nasui [EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED]
Sent: Tuesday, August 26, 2003 6:56 PM
Subject: RE: login test in a jsp page - any suggestions
Hi
I would do this using Servlet Filters.
Thanks
-- pady
[EMAIL PROTECTED]
-Original Message-
From: David Thielen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 26, 2003 11:03 PM
To: Struts Users Mailing List
Subject: Re: login test in a jsp page - any suggestions
How can I set
on your
forms.
-Richard
-Original Message-
From: David Thielen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 26, 2003 8:03 PM
To: Struts Users Mailing List
Subject: Re: login test in a jsp page - any suggestions
How can I set things up so people can't get to a jsp page? I can set
Subject: Re: login test in a jsp page - any suggestions
isn't it should be better to put his verification at actions? maybe a
common super action could validade it, but I think that the jsp should
be the last place to put it. Ideally, the jsp's are not even exposed to
clients, making the access
Why not use a servlet filter ?
Thanks
-- pady
[EMAIL PROTECTED]
-Original Message-
From: David Thielen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 26, 2003 4:16 PM
To: Struts-Users
Subject: login test in a jsp page - any suggestions
Hi;
I want to put a test in every jsp page
:[EMAIL PROTECTED]
Sent: Thursday, August 21, 2003 9:55 AM
To: Struts Users Mailing List
Subject: Re: login request + ActionServlet RequestProcessor Action
Hmm
Strugling a bit with this one now.?? I have extended requestProcessor and
tried to perform a requestDispatch and responseRedirect
: Re: login request + ActionServlet RequestProcessor Action
Hi david
I spent a little to much allocated time on this so I had to move on, and I
am
going to come back to it at a later date. I have a quick 'hack' (a taglib
which checks the session in each jsp) for my prototype to present
information available in
the struts-config.xml (or module) file(s).
Regards,
David
-Original Message-
From: Jung, Eric (Contractor) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 1:54 PM
To: Struts Users Mailing List
Subject: RE: login request
David,
If you implement
Thank you ...
I would liked to have used a filter as this was my first idea, however my
clients app must be deployed onto their raq550 server which supports only
tomcat 3. I believe only tomcat 4 supports filters(or the servlet spec it
uses)? I believe i will follow davids example and extend
Hi
After deciding which approach to take and reading a few of my struts books
about the controller object ; ) I am now confused as which is the most
appropriate class to extend to perform my login functionality. David suggests
extending the base action class, however i have read that the
Hi Andy,
I guess the decision boils down to how your application is going to be
written. For a project I worked on couple of weeks back, I ran into a
problem where one of my Actions needs to extend a class to inherit some
functionality, but I was stucked because I need to extend my
Hi Kok
Good point, never thought about that! One point towards extending the
requestProcessor then, as if i am right i configure this in my
struts-config.xml and dont need to extend it from every action class.
Thanks
Andy
On Thursday 21 Aug 2003 10:26 am, Kok Wei, Koh wrote:
Hi Andy,
I
-
|From: Andy Richards [mailto:[EMAIL PROTECTED]
|Sent: Thursday, August 21, 2003 2:19 PM
|To: Struts Users Mailing List
|Subject: Re: login request + ActionServlet RequestProcessor Action
|
|
|Hi
|
|After deciding which approach to take and reading a few of my struts books
|about the controller
Yeah you should only need to define your custom
AuthenticationRequestProcessor class which extends RequestProcessor in
controller element of your struts-config.xml.
Andy Richards wrote:
Hi Kok
Good point, never thought about that! One point towards extending the
requestProcessor then, as if i
Hmm
Strugling a bit with this one now.?? I have extended requestProcessor and
tried to perform a requestDispatch and responseRedirect, however both fail as
the error message informs me the reponse has already been submitted. I
thought i may be able to use declarative exception handling with
You can use a filter to intercept all requests to a particular URL pattern
and check for your object in session.
A filter is similar to a servlet in that it's a piece of code that gets
passed the request and response objects and operates on them; but it's
invocation is unique, because it's called
Dear Andy,
I'm doing the same thing you suggest. My approach is
to extend the base Action (or any type of Action) class
by adding a functon 'checkLogin'. It takes the 'request'
as the argument, checks the session for a User bean, and
throws an exception if the bean is missing or if the ID
in your
application?
-eric
-Original Message-
From: David G. Friedman [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 9:42 AM
To: Struts Users Mailing List; [EMAIL PROTECTED]
Subject: Re: login request
Dear Andy,
I'm doing the same thing you suggest. My approach
On Thu, 17 Jul 2003, Adam Hardy wrote:
Date: Thu, 17 Jul 2003 11:34:49 +0200
From: Adam Hardy [EMAIL PROTECTED]
Reply-To: Struts Users Mailing List [EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED]
Subject: login for half my action mappings, leaving other half unsecured
HttpServletRequest has a method called getHeader(String name) use that with
a paramater of Referer which will give you the page the user came from.
Look at the Servlet specification for all your other answers.
--Amit
-Original Message-
From: Ashish Kulkarni [mailto:[EMAIL PROTECTED]
]
Sent: Wednesday, July 09, 2003 11:19 AM
To: Struts Users Mailing List
Subject: RE: Login Form
On Tue, 2003-07-08 at 20:34, Erez Efrati wrote:
Thanks Sean,
I looked at it and it does avoid the BIG limitation posed by the
standard spec in fact. Still I cannot use it since it disables
?
Thanks,
Erez
-Original Message-
From: Sean Radford [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 10, 2003 11:26 AM
To: Struts Users Mailing List
Subject: RE: Login Form
All,
Please find attached my securityfilter realm adaptor. The other code I
was waiting for hasn't materialised, so I
[mailto:[EMAIL PROTECTED]
Sent: Thursday, July 10, 2003 11:26 AM
To: Struts Users Mailing List
Subject: RE: Login Form
All,
Please find attached my securityfilter realm adaptor. The other code I
was waiting for hasn't materialised, so I couldn't do any comparison -
but it seems to work
Thanks a lot Sean, I will try it and let you know how it works.
Thanks for your great help,
Erez
-Original Message-
From: Sean Radford [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 10, 2003 12:28 PM
To: Struts Users Mailing List
Subject: RE: Login Form
Erez,
Things you need to do
To: 'Struts Users Mailing List'
Subject: RE: Login Form
Thanks a lot Sean, I will try it and let you know how it works.
Thanks for your great help,
Erez
-Original Message-
From: Sean Radford [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 10, 2003 12:28 PM
To: Struts Users Mailing List
Subject: RE: Login Form
Just need to include the relevant JBoss jar(s) on your classpath in
JBuilder... For JBoss 4 it is simply jboss.jar (found in
JBOSS_HOME/server/CONFIG/lib)
:-)
Sean
--
Dr. Sean Radford, MBBS, MSc
[EMAIL PROTECTED]
http://bladesys.demon.co.uk/
Blade Systems
On Thu, 2003-07
On Thu, 10 Jul 2003, Erez Efrati wrote:
Date: Thu, 10 Jul 2003 20:29:11 +0200
From: Erez Efrati [EMAIL PROTECTED]
Reply-To: Struts Users Mailing List [EMAIL PROTECTED]
To: 'Struts Users Mailing List' [EMAIL PROTECTED]
Subject: RE: Login Form
Yep, I've done that and it's compiling
, but...
Thanks,
Erez
-Original Message-
From: Sean Radford [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 08, 2003 8:21 PM
To: Struts Users Mailing List
Subject: RE: Login Form
Have a look at this (you may find what you want):
http://sourceforge.net/projects/securityfilter
Radford [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 09, 2003 11:19 AM
To: Struts Users Mailing List
Subject: RE: Login Form
On Tue, 2003-07-08 at 20:34, Erez Efrati wrote:
Thanks Sean,
I looked at it and it does avoid the BIG limitation posed by the
standard spec in fact. Still I cannot use
Not sure if I understand it entirely. But you can use an iframe for the login
form(protected page) on the site home page. Something like:
iframe name='logon_frame' id='logon_frame' style='width:100%; height:120;'
SCROLLING='no' src='https://localhost:8443/logon_iframe.jsp'/iframe
Hope this
page. I want to note here that I am using the JAAS.
Thanks,
Erez
-Original Message-
From: Yansheng Lin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 08, 2003 5:47 PM
To: 'Struts Users Mailing List'
Subject: RE: Login Form
Not sure if I understand it entirely. But you can use an iframe
.
-Original Message-
From: Erez Efrati [mailto:[EMAIL PROTECTED]
Sent: July 8, 2003 11:03 AM
To: 'Struts Users Mailing List'
Subject: RE: Login Form
Yansheng Lin, I didn't understand, sorry.
All I want to do is enable the users to login into my site from the
starting page of the web site
an archive mail on this newsgroup, maybe what you want. Sorry I don't
know much about the api in JAAS.
-Original Message-
From: Erez Efrati [mailto:[EMAIL PROTECTED]
Sent: July 8, 2003 11:03 AM
To: 'Struts Users Mailing List'
Subject: RE: Login Form
Yansheng Lin, I didn't understand
On Tue, 8 Jul 2003, Erez Efrati wrote:
Date: Tue, 08 Jul 2003 19:03:17 +0200
From: Erez Efrati [EMAIL PROTECTED]
Reply-To: Struts Users Mailing List [EMAIL PROTECTED]
To: 'Struts Users Mailing List' [EMAIL PROTECTED]
Subject: RE: Login Form
Yansheng Lin, I didn't understand, sorry.
All
Have a look at this (you may find what you want):
http://sourceforge.net/projects/securityfilter/
Sean
-Original Message-
From: Erez Efrati [mailto:[EMAIL PROTECTED]
Sent: July 8, 2003 10:11 AM
To: 'Struts Users Mailing List'
Subject: Login Form
Hi,
My question is a bit
Subject: RE: Login Form
Have a look at this (you may find what you want):
http://sourceforge.net/projects/securityfilter/
Sean
-Original Message-
From: Erez Efrati [mailto:[EMAIL PROTECTED]
Sent: July 8, 2003 10:11 AM
To: 'Struts Users Mailing List'
Subject: Login Form
Hi,
My
What happens if you don't put a security constraint in the web.xml, but
instead just specify a role in action in struts-config.xml?
Adam
Erik Price wrote:
You can limit the resources that are protected by container managed
authentication in the deployment descriptor. Whichever Action requires
if role check fails, Struts sets HttpResponse code 400 (Bad Request)
-D
- Original Message -
From: Adam Hardy [EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED]
Sent: Saturday, June 14, 2003 2:44 AM
Subject: Re: Login and security checks
What happens if you don't put
Here's how I do it: use a servlet filter to handle login. Put all your
secured (those requiring login) in a subfolder, and map the filter to
that folder. In this way, the user can browse anywhere except when he/she
comes to any page in the proteced folder, at that time he/she will be
redirected to
[EMAIL PROTECTED] wrote:
I'm currently working on a web app which will be available publicly. In the
past I've secured my webapp using Tomcat's form based security. This works
fine if you require a user to log in as soon as the webapp is initiated (as
is the case with most internal web apps).
How can I organize my webapp so that some of the
content is available to anybody, but other parts
can only be done when the user logs in?
available to anybody: http://www.example.com/yourapp/public/*
protected: http://www.example.com/yourapp/members/*
-TPP
[EMAIL PROTECTED] writes:
there is definitely a need for browsing before creating a user id. How can I
organize my webapp so that some of the content is available to anybody, but
other parts can only be done when the user logs in? This may also be tied
into when to use http and when to use
Thanks for the replies Shunhui, Erik, Tero, and Chris. Very helpful
suggestions.
Mike
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, June 13, 2003 2:59 PM
To: [EMAIL PROTECTED]
Subject: RE: Login and security checks
Here's how I do it: use a servlet
Hi Matt,
Would you know the password of username, tomcat, in the demo of
struts-resume0.7?
- Original Message -
From: Raible, Matt [EMAIL PROTECTED]
To: 'Struts Users Mailing List' [EMAIL PROTECTED]
Sent: Friday, May 30, 2003 11:52 AM
Subject: RE: Login
I prefer form-based
I prefer servlet filter. If not logged in, redirect user to the login page.
-Original Message-
From: Jonathan Holloway [mailto:[EMAIL PROTECTED]
Sent: May 30, 2003 11:30 AM
To: [EMAIL PROTECTED]
Subject: Login
Could somebody tell me what the best way to implement a login mechanism is
Does anyone have example code for that handy?
- Original Message -
From: Phillip Qin [EMAIL PROTECTED]
To: 'Struts Users Mailing List' [EMAIL PROTECTED]
Sent: Friday, May 30, 2003 11:36 AM
Subject: RE: Login
I prefer servlet filter. If not logged in, redirect user to the login
page
Would a subclassed RequestProcessor be a Struts level alternative to
Servlet Filters?
(I have no clue, i'm just wondering)
Cheers,
Paul C
Phillip Qin wrote:
I prefer servlet filter. If not logged in, redirect user to the login page.
-Original Message-
From: Jonathan Holloway
Does anyone have example code for that handy?
They sure as hell should, considering this topic's
covered on the list at about every week.
The mailing list archive is your friend...
-TPP
-
This email may contain
Yes. For Tiles subclass the TilesRequestProcessor
-Original Message-
From: Paul Curren [mailto:[EMAIL PROTECTED]
Sent: Friday, May 30, 2003 11:41 AM
To: Struts Users Mailing List
Subject: Re: Login
Would a subclassed RequestProcessor be a Struts level alternative to
Servlet Filters
I prefer form-based authentication - for an advanced example, see
http://static.raibledesigns.com/downloads - download security-example.
Documentation will be coming on this project soon in Professional JSP 2.0 by
Apress (formerly was going to be by Wrox).
HTH,
Matt
-Original Message-
Obviously It's posted again when you reload the page, but I don't think
this is the way it has to be. Why does the browser post information
(Password)
it should not be aware any more after the Login-request has been
processesed?
Anyway, I am interested in a solution how to disable this behaviour.
I have my ActionServlet mapped to *.do and an ActionFilter mapped to
that same url-pattern. In ActionFilter, I check to see if there is a
UserForm in the session, and secondly to see if
request.getRemoteUser() returns null. If either of these occur, I
call my Business Delegate (UserManager in my
Write a proxy to retrieve the user data you wish to put in the session.
The proxy will check to see if a user has been authenticated
(request.getUserPrincipal() != null), and, if they have, it will check
to see if your user data has been created yet. If it has, it will just
take it from the
Hi
Sorry what you mean by proxy. i didn't get you actually i wanted to
authenticate logged in user against the users that are there in the
database, and when ever they bookmark some page and if they go to that
page directly i wanted to display the login page after they login
sussefully only .
You could use a filter to map to all your protected resources. This
is what I do in the security-example application I recently wrote.
You can download the source at:
http://javawebapps.com/downloads/security-example.zip (14MB)
HTH,
Matt
--- In [EMAIL PROTECTED], usha [EMAIL PROTECTED]
Hi
can you tell me briefly how you are using filtes in security-example
application.
Thanks
usha
Matt Raible wrote:
You could use a filter to map to all your protected resources. This
is what I do in the security-example application I recently wrote.
You can download the source at:
The authentication filter will check for a valid flag in the session
indicating the user has logged in. I use a Person object identifying the
user for this. If it's not there, send them to the login screen.
Just put the login page outside the protection of the filter to prevent the
filter
I received this email so I thought somebody else may have the same problem.
I have taken out their identity because the person sent me a direct email.
- Original Message -
From: Zahid Rahman [EMAIL PROTECTED]
Sent: Wednesday, September 25, 2002 6:39 PM
Subject: Re: Login/logon form
Yes
I see I think - you've implemented a realm that is application (ie
non-container-managed) to facilitate this. Am I understanding things
right? I guess the solution I'm looking for is JDBCConfigRealm (not
written, obviously) that would make use of some configuration to specify
where a person
it do CMA on a let basis?
Thanks!
Eddie
Struts Newsgroup (@Basebeans.com) wrote:
Subject: Re: Login Question
From: Vic C. [EMAIL PROTECTED]
===
As this post says
http://www.mail-archive.com/struts-user@jakarta.apache.org/msg36670.html
to extend JAAS you do this:
(i cut and paste now
Subject: Re: Login Question
From: Vic C [EMAIL PROTECTED]
===
Now that you buttered me up:
basicPortal does not handle it, it just uses JAAS and Web.xml relms so
it just illustrates how to do this.
(just like it illustrates how to do tiles action or how to use JSTL tags
with Struts, how
Subject: Re: Login Question
From: Vic C. [EMAIL PROTECTED]
===
As this post says
http://www.mail-archive.com/struts-user@jakarta.apache.org/msg36670.html
to extend JAAS you do this:
(i cut and paste now)
Then if you want more you do servlet api, getuserpricipal or
getremoteuser, snipet
interested.
Thanks
Sandra
-Original Message-
From: James Mitchell [mailto:[EMAIL PROTECTED]]
Sent: 02 July 2002 16:54
To: Step
Cc: Struts-Atlanta; Struts Users Mailing List
Subject: RE: Login process
okhere ya go...
http://www.open-tools.org/struts-atlanta/downloads
-
From: Arnaud HERITIER [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 05, 2002 8:17 AM
To: 'Struts Users Mailing List'
Subject: RE: Login process
don't your user attribute need to be static to be shared by all your
actions
instances ???
Arno
-Message d'origine-
De : David Mulligan
Developer Network
http://www.open-tools.org/struts-atlanta
-Original Message-
From: Step [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 01, 2002 9:26 PM
To: [EMAIL PROTECTED]
Subject: RE: Login process
James I want a copy your modified struts-example...
Thanks
Apart from the index.jsp, you would probably be best served by putting all
your other jsps (that require authentication) in the WEB-INF directory. This
way they can only be reached by an action forwarding to them and not
directly.
-Original Message-
From: Heligon Sandra [mailto:[EMAIL
Mitchell
Software Engineer\Struts Evangelist
Struts-Atlanta, the Open Minded Developer Network
http://www.open-tools.org/struts-atlanta
-Original Message-
From: Andrew Hill [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 01, 2002 5:56 AM
To: Struts Users Mailing List
Subject: RE
the servlet engine(Tomcat) can execute it?
Could you send me your example, please ?
thanks a lot in advance.
-Original Message-
From: James Mitchell [mailto:[EMAIL PROTECTED]]
Sent: 01 July 2002 17:56
To: Struts Users Mailing List; [EMAIL PROTECTED]
Subject: RE: Login process
Heligon Sandra wrote:
I don't understand how the user can reach a page without
using action forwarding. I thought that all JSP pages had
to be associated with an action.
You would access the JSP page indirectly through an action. Whether
that is an actual action, or a simple forwarding
-Original Message-
From: Heligon Sandra [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 01, 2002 1:09 PM
To: 'Struts Users Mailing List'
Subject: RE: Login process
I am new with Web and Struts and some items escape me.
I don't understand how the user can reach a page without
using
From: Galbreath, Mark [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 07, 2002 7:16 AM
What's the best way to authenticate users from a backend database in a
system using Struts? Should the HTML form action go through the
ActionServlet or should I write a small validation class that
86 matches
Mail list logo