Doing it in your jsps is, as someone else said earlier, way too late. If you're not going to use container-managed security, which is sufficient for most needs, then put it in a filter. It's easy, central and maintenance-free. Better than updating all your JSPs.
As for tags, I'm not sure about <logic> tags, I use <c> tags in JSTL.
Setting form properties in the Action classes is standard practice.
Adam
On 03/13/2004 11:43 PM Theodosios Paschalidis wrote:
Struts seems to be erratic! It first worked then with no changes it didn't! Something is going terribly wrong with how the server updates the classes...
I believe the safest bet is to do it my jsp. -Could somebody please give an example of using the <logic> tag, to check for the presence of an attribute checking it's boolean property and forwarding to a page? -Also is it ok to set a Form property in the Action class?
Forgive my basic question but I could not get it to work with a boolean property!
Thank you for your time, Theo
----- Original Message ----- From: "Robert Nocera" <[EMAIL PROTECTED]>
To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]>
Sent: Saturday, March 13, 2004 5:34 PM
Subject: RE: Checking if user has a valida session
How about this: public boolean isUserAdmin(HttpServletRequest request) { //Check if the Admin is logged on if (isLogged(request)) { HttpSession session = request.getSession(); LogonForm user = (LogonForm) session.getAttribute(Constants.USER_KEY); return (user.isAdmin()); } else { return false; }
-----Original Message----- From: Theodosios Paschalidis [mailto:[EMAIL PROTECTED] Sent: Saturday, March 13, 2004 11:42 AM To: Struts Users Mailing List Subject: Re: Checking if user has a valida session
Hi all,
I was just trying to figure out how to do that. (newbie) I have an app
that
has some pages available for all, some for logged in users and some for administrators.
I prevent access to logged-only pages by a tags that hide the relevant functionality. I have now written an abstract BaseAction with 3 methods: isSessionValid, isLogged and isUserAdmin in order to implement Action based security.
My problem is that I can still go to my ".do" or ".jsp" pages directly by typing in the URL. If I try to submit something instead of being forwarded to, say, LogOff, I get this error java.lang.NullPointerException at app.AbstActionBase.isUserAdmin(Unknown Source) at app.InsertItemAction.execute(Unknown Source)
since my code checks based on a request that is not there! Any way to prevent this? Thank you for your time, Theo
public boolean isSessionValid(HttpServletRequest request) { if (request == null) return (false); HttpSession session = request.getSession(); if (session == null) return(false); return true; }
public boolean isLogged(HttpServletRequest request) { // Checked for a currently logged on user HttpSession session = request.getSession(); LogonForm user = (LogonForm) session.getAttribute(Constants.USER_KEY); return ((user == null) ? false : true); }
public boolean isUserAdmin(HttpServletRequest request) { //Check if the Admin is logged on HttpSession session = request.getSession(); LogonForm user = (LogonForm) session.getAttribute(Constants.USER_KEY); return (user.isAdmin()); }
----- Original Message ----- From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 12, 2004 8:50 PM
Subject: RE: Checking if user has a valida session
There are different ways of implementing a secure site, and many variables involved.
When you say you want to see if the session is "valid," are you talking about name/password authentication, or some other session attribute?
If the former, you can implement a standard J2EE security model in the web app deployment descriptor (web.xml), specifying which user roles can
access
which pages (such "*.do"), and exempting specified other resources (e.g. "login.do"). This will automatically prevent users from accessing pages without being authenticated first, and also enable you to configure
session
timeouts easily. It's also an easy, central, and standard method of configuring security, and fits in neatly with the roles-based
configuration
in the Struts config file. Your options would work as well, but wouldn't
be
very flexible or easy to manage, especially if you expect the application
to
get big.
-----Original Message----- From: Joao Batistella [mailto:[EMAIL PROTECTED] Sent: Friday, March 12, 2004 2:55 PM To: 'Struts Users Mailing List' Subject: Checking if user has a valida session
Hello.
I have to check in my application if the user has a valid session in every page and, if not, redirect him to the login page. What is the best way of doing this?
I see 3 options:
1. Put an include or tag in every page that checks this 2. Check this in my struts action 3. Use a servlet filtering to filter all .jsp or .do requests
I'm thinking about adopting solution number 3. Is it the best aproach?
Thanks, JP
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
