... or use container-managed authentication (CMA) :-) and place the burden on the server itself. Sorry - had to chip in! I honestly don't know how long CMA has been a part of the servlet specification - but I'd wager that wouldn't be spec 2.3 dependent ;-)
David Graham wrote: > Another of those best practices is to use a Filter to authenticate the > user before they ever reach your application. This requires a servlet > 2.3 compliant container and doesn't easily allow you to use struts > specific classes. > > So, if you don't need struts to authenticate and are using a 2.3 > container, use the Filter approach. > > Dave > >> From: "James Mitchell" <[EMAIL PROTECTED]> >> Subject: Re: Using CheckLogin tag from within tiles >> Date: Mon, 7 Oct 2002 12:43:41 -0400 >> >> There have been many "best practices" published (media) and posted >> (users >> list) over the last year or so that, if followed, can/would elimiate >> these >> kinds of issues. >> >> By forcing all interactions with your webapp to go through your custom >> actions, you can keep your "check for session expire" code in your >> action >> classes and not have to rely on your jsp to enforce it. >> >> I typically do this in an abstract BaseAction which all actions (except >> those not requiring authentication or session data) are required to >> extend. >> >> > - If I put it in the body insert, then when the login check fails >> > (because of session timeout) it throws an exception saying that it >> > couldn't forward because the output was already committed (I presume >> > that the preceding tiles do a flush). >> >> By placing my "is session expired" code in the base action, I do not >> have to >> replicate the check anywhere else, which elimiates this issue. >> >> > - If I put it at the top of the simpleLayout.jsp (which I thought >> would >> > be before anything was flushed) then it detects the error (and >> creates >> > the correct ActionError) but the forward to the logon page doesn't >> > work (the current page is displayed) and the page skip of the >> > CheckLogin tag doesn't work. >> >> Not sure why this is happening, but see above for avoiding it as well. >> >> Hope that helps. >> James Mitchell > -- Eddie Bush -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
