note that you can now combine the best aspects of versions 2 & 3 (2 involves just struts, 3 allows xml configuration) by using the declarative exception handling in the nightly build. in your Action superclass, just throw an exception if the user fails the authentication test, and trap for the exception in the struts-config.
you could also do the same thing by returning a forward if the authentication failed, but i like the exception model better because if you misconfigure your app, at least you'll see the exception thrown, whereas misconfiguring a forward may not be as explicit. the one plus here, is that all of your app's configuration is in the struts-config, which could save some headaches if you deploy the app on to several different servlet containers. ab >2. Extend Struts' Action class to your own *abstract* class, which adds >the (unimplemented method) "boolean requiresLogon()". All of your >actions should extend this abstract class, and implement their own >"requiresLogon()" method which simply returns true or false. Then, in >the base class's perform() method, you can call requiresLogon(), and if >true, then test for logged-inness. Lastly, you can call the derived >class's real "perform" method, which actually you'll have to rename to, >"myPerform" or something slightly different. This is a cleaner approach >than #1 but still a bit messy. I've used this approach for both >"requiresLogon()", and "requiresDatabase()" (in which case I establish >and break down a connection, all in one place). My preference is now #3, >below. > >3. Don't use Struts at all for your login check. Instead, use Servlet >Filters (requires a Servlet 2.3 container such as Tomcat 4.0). Implement >a filter (they're simple, really!) which checks for logged-inness, and >if false, then redirects to some login page. This has a clear advantage >in that it separates security checking from the code of your Actions. In >addition, it has a clear advantage in that it's declarative at the >configuration file (XML) level, rather than embedded in your code. By >that I mean, in the web.xml file, you specify which URL's (or which >patterns of URL's) the filter applies to, rather than embedding this in >your actual Java code. My favorite approach to this kind of thing. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>