Daniel wrote:
> But if you do not have access to filters, this might be a good way to do
it.
Not IMO. By the time you get to the JSP, you have already done things that
an unauthorized user should not do... read from the database, etc. If
nothing else, it's a waste of resources to *do* those things when you're not
going to present the results to the user.
If you can't use a Filter, then you should do something at the top of your
Action (or as David said, in a Base Action class that all of your Actions
inheirit from) to make sure that nothing happens if the user isn't logged
in.
For the person who wanted the example... we use a proprietary cookie-based
authentication scheme with a Java API. The Filter looks something like
this:
package edu.asu.vpia.webapp;
public class WebAuthFilter implements Filter
{
/**
* Looks for either the 'authenticator' request parameter or else
* the 'WEBAUTH' cookie, and checks with the WebAuth server to
* determine if this is an authorized user.
* If not, redirects to the login page
* If so, places a WebUser object in request scope
*/
public void doFilter( ServletRequest req, ServletResponse resp,
FilterChain chain ) throws IOException, ServletException
{
//determine whether we've got an authorized user, if not:
String url = "http://authserver.institution.edu";
response.sendRedirect( url );
}
}
HTH...
--
Wendy Smoak
Applications Systems Analyst, Sr.
Arizona State University PA Information Resources Management
