Hi Jing,
>Using container security or servlet filter are equivalent when protecting
>web applications. We have a topic with sample security constraints at
>http://www.netspread.com/tips2.html#mvc
>in which you could put 'nobody' role to deny any direct access to your
>JSP pages in web applications. No codes here.
I followed the link and I think this can be a nice solution for not having
to place the jsp files under WEB-INF but I didn't see (I must confess I
didn't have the time to look any further than the link you gave me) how one
can do authentication against database for checking username / password.
I'll look more into the subject this week.
>I would say you might want to check if you have removed the "LoggedIn"
>object from the session from the logout action class...
I removed the object before doing a session.invalidate()
>Even I set "nocache" to true, the end users could get Page has Expired
>warning message. The the users could do a hard Retry, they get the pages
>again. Have you tried this before?
I tried it, and it's true what you say, but once the session is invalidated
with the authentication I have in place right now they are redirected to the
logon page.
What I'm looking now for, with the filter, container authentication,
security contraints, etc, is an easiest way (less redundant code,
centralized method) to do the user's authentication.
>Jing
Thanks a lot ;)
Cezar
> On Fri, 2003-08-22 at 18:12, Jing Zhou wrote:
> > I would prefer to use the security constraints to protect
> > sensitive area. And in the logout action class, invalidate
> > the user's session and then forward to /logout.html.
> >
> > In the logout.html page, you could add JavaScript
> > statement on top of it:
> >
> > location.replace('/thank_you.html');
> >
> > Once the thank_you.html is shown, the Back button
> > is disabled. The user will have no chance to back.
> > Make sure the thank_you.html is outside the security
> > constraints.
> >
> > Jing
> > Netspread Carrier
> > http://www.netspread.com
> >
> >
> > ----- Original Message -----
> > From: "Cezar Nasui" <[EMAIL PROTECTED]>
> > To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
> > Sent: Friday, August 22, 2003 2:15 PM
> > Subject: Authentication Filter not working
> >
> >
> > > Hi all,
> > >
> > > I try to use a filter for the authentication so I created a class
which
> > > implements filter with the following doFilter method (I found this in
a
> > > post)
> > >
> > > <code>
> > > public void doFilter(ServletRequest _request, ServletResponse
_response,
> > > FilterChain _chain)
> > > throws IOException, ServletException
> > > {
> > > String redirectFailure = "/logon.jsp";
> > >
> > > HttpSession session =
> > ((HttpServletRequest)_request).getSession(false);
> > > if ((session == null) || (session.getAttribute("loggedIn")==
null) )
> > > {
> > > context.getRequestDispatcher(redirectFailure)
> > > .forward(_request,_response);
> > > }
> > > else {
> > > _chain.doFilter(_request, _response);
> > > }
> > > }
> > > </code>
> > >
> > > I added this in the web.xml file:
> > > <code>
> > > <filter>
> > > <filter-name>SessionFilter</filter-name>
> > > <filter-class>dbmanager.SessionFilter</filter-class>
> > > </filter>
> > > <filter-mapping>
> > > <filter-name>SessionFilter</filter-name>
> > > <url-pattern>/DBManager/*</url-pattern>
> > > </filter-mapping>
> > > </code>
> > >
> > > and I also :
> > > - setted nocache to true for the Action servlet
> > > - in lofgoff I invalide the session I create in login along with the
> > > loggedIn variable
> > >
> > > The problem : when I log out and then do a back to the last page
> > everything
> > > is working !!!
> > >
> > > I overlooked something, any ideas?
> > >
> > > Thanks,
> > > Cezar
> > > ---
>
>
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
