Reading Glen's post(two posts ago) I am told that Mr. Husted has an example of this in his book. Sorry for the redundancy. I will have to look at his example because he knows very well the Struts framework.
I had posted before about extending the ActionServlet and didn't get any responses so I didn't know there was already an example floating around. Sorry. -----Original Message----- From: Bailey, Shane C. [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 5:01 PM To: [EMAIL PROTECTED] Subject: Example: Auth check with ActionServlet If anyone is interested in a decent way to do a check to see if the user is logged in and do the appropriate things then I am giving an example below. One reason I am doing this is I have seen a heck of a lot of posts where people are doing the check from within a JSP. Second reason is I just finished coding it. Third, I wouldn't mind comments as to whether this will hold up under some unforeseen circumstance or if I am way off base in doing it this way. But this way is simple! Some code details I have keep out for security reasons. Probably a non-issue but if a hacker knows every detail of how I do it then it makes it easier but you'll get the idea I think. The disadvantage of extending the ActionServlet over extending the RequestProcessor is that if your are using modules and they have different login paths per module then you would be better off extending the RequestProcessor. Otherwise you could have 50 Request processors for 50 modules and the code to do the auth check below would only have to be in one place. I quest you could have a MyRequestProcessor which just has the check methods in it and reuse that as the base class for each RequestProcessor but... This code has been tested to work (decently) (but like I said, I removed some (very little) code for security reasons). package my.web; import java.io.IOException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.ServletException; import org.apache.struts.util.RequestUtils; import my.package.web.constants.WebConst; public final class Controller extends org.apache.struts.action.ActionServlet { /** * You can omit this method in this class if you have nothing to initialize!!! So it is even smaller code. */ public void init() throws ServletException { //I thought I would put code in here to initialize the DB and //stuff but decided to find a better way for better tiering i.e. keeping //database code out of my front end super.init(); } protected void process(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { if(this.isUserAuthenticated(request)==false && isAttemptingLogin(request)==false) { //Send to login response.sendRedirect(WebConst.MAIN_LOGIN_PATH); //Const value="/login" } super.process(request,response); } private boolean isUserAuthenticated(HttpServletRequest request) { try{ //Insert code here! To check the Session (or the request if using Container //Managed Security) and see if the user is already logged in. return true; //If anything fails like a ClassCastException because some //outside force tried to set an object in Session or some other problem or security //breach just catch any problems... }catch(Exception e) { return false; } } private boolean isAttemptingLogin(HttpServletRequest request) { //Get the path where the user is trying to go. String currReqPath = request.getServletPath(); log("CRP="+currReqPath); //I happened to have a couple login paths the user can take (really just a different action mapping name //going to the same action) if you only have one login path then replace the whole for loop with //if(WebConst.MY_LOGIN_PATH.equals(currReqPath)){ return true; } for(int i=0; i<WebConst.LOGIN_PATHS.length;i++) { //The first one in the array is "/login" if(WebConst.LOGIN_PATHS[i].equals(currReqPath)) { return true; } } return false; } } web.xml has this now instead of ActionServlet: ... <servlet-name>action</servlet-name> <servlet-class>my.web.Controller</servlet-class> ... <servlet-mapping> <servlet-name>action</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
