On Mon, 26 Mar 2001 [EMAIL PROTECTED] wrote:
>
>
> Hi.
>
> Thanks for all the replies, but not sure I explained myself well enough first
> time round! My problem is not so much the how-to of security, but the fact that
> I only require a log-in *sometimes*. If accounts are set-up on the related
> server, we need to honour these and have the user log-in. If they are not, we
> allow the user free access.
>
> So...after further thought, I believe the controller should check this once,
> when the application is initialised, and set a parameter which indicates whether
> log-in is required. I can then check this at the top of each page, and if set,
> check the user has logged on, redirect if not etc..
>
Your general approach sounds reasonable, to deal with these
requirements. Essentially, you are providing a mechanism to "log
in" without using a username/password under certain circumstances.
> Does this sound right?! ie is it the controller which should be doing this in
> it's init() method?
>
However, the init() method is absolutely the wrong place to try to do this
-- it is run *once and only once* when the application is first
started, then it is never called again. You might want to review
information about the general servlet lifecycle to help understand how
this works -- there are lots of articles and books that describe it.
You need to do something that happens during the normal
processing of requests -- essentially, define an Action to log on (as the
Struts example does), but customized to bypass the username/password stuff
under certain circumstances.
> Thanks,
>
> Dave
>
Craig McClanahan
