Hello All,
by using a JSP tag to check if the user is logged, aren't you mixing somehow
logic and presentation? In theory, you should provide a way that is
independent of the fact that you store your user in the session (though
Struts does it that way). Furthermore, you may need to not only check if the
user is logged, but also if he/she has specific permissions/roles...
My suggestion would be similar to Peter's:
- subclass the Action class with your own with a checkLogon() method that
throws an exception if the user is not logged (the extension would be
defining a checkAuthorization(auth))
- at the beginning at the main command method of each _Action_ that requires
the user to be logged id, do something like
public ActionForward perform(...) {
try {
checkLogon();
// Add here business logic if user is logged in
...
} catch (UserNotLoggedException e) {
// React to user not logged (or not authorized)
// Probably forward to login page...
}
}
What do you think?
Andrej
-----Original Message-----
From: Peter Pilgrim [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 02, 2001 11:11 AM
To: Struts Users Mailing List
Subject: Re: Force login...
To do it properly you have to:
(1) Write a abstract base class, say `SecureActionBase' that provide
security methods
"checkLogon()". Write a default implementation of `checkLogin' that
subclasser can
override. If no user is not longer return an action mapping forward that
redirects
to the "login". Otherwise let the user continue.
(2) Borrow the `CheckLoginTag' from the Struts example and use it as it is,
or modify it.
You put the checklogin tag at the beginning of your JSPs.
(3) Extend the Struts ActionServlet with a custom class for your project
that will enable you
to look for instances of `SecureActionBase' and then call the security
methods.
Like so:
protected ActionForward processActionPerform(Action action,
ActionMapping mapping,
ActionForm formInstance,
HttpServletRequest request,
HttpServletResponse
response)
throws IOException, ServletException
{
....
if ( action instanceof SecureBaseAction ) {
SecureBaseAction baseAction = (SecureBaseAction)action;
...
if ( baseAction.isSecureAction() ) { // This action needs
security
....
ActionForward fwd = baseAction.checkUserSecurityAccess(
context, mapping, request );
if ( fwd != null ) {
// Redirect to login screen or other warning page
return fwd;
}
// Otherwise we are authenticated, continue
}
... // pre-process checking U desire
ActionForward forward = action.perform(mapping, formInstance,
request, response);
... // post -process checking U desire
return forward;
}
--
Peter Pilgrim ++44 (0)207-545-9923
//_\\
"Mathematics is essentially the study of islands of =======
disparate subjects in a sea of ignorance." || ! ||
Andrew Wiles _____________
---------------------------------------- Message History
----------------------------------------
From: "Scott Watson" <[EMAIL PROTECTED]> on 02/11/2001 10:44 EST
My appologies for asking something that has probablly been asked and
answered before, however, I wasn't able to find the answer in
my searches.
How do you force someone to login before being allowed to access your
application. It doesn't seem right to code this in each
action class.
Is it possible to search the archives for this list like the SERVLET and the
JSP lists?
Thanks
Scott.
--
This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
