Having just researched this, here's what i found. Using a javax.servlet.Filter works very well. As you say, You check the session for an attribute value that indicates authentication. in its absence you use a RequestDispatcher to forward to a login servlet which checks for four cases: 1. no request parameters, display logon form 2. invalid request parameters, display errors 3. unable to authenticate with valid parameters, display error 4. parameters authenticate, forward to home page Thanks to Rick Bay on the struts-users list for this idea. along with option 3 on this email. http://www.mail-archive.com/[EMAIL PROTECTED]/msg24504.html
This is a fully featured, xml file configurable filter that i will eventually use as my solution: http://securityfilter.sourceforge.net/ but for fun and understanding i wrote (cut and pasted bits from the web really) this one, as a test: public final class AuthFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean auth = false; if (request instanceof HttpServletRequest) { HttpSession session = ((HttpServletRequest)request).getSession(); String path = ((HttpServletRequest) request).getPathInfo(); Boolean authAttr = (Boolean) session.getAttribute("authenticated"); if (authAttr != null) auth = authAttr.booleanValue(); } if (auth) { chain.doFilter(request, response); return; } else { RequestDispatcher dispatcher = request.getRequestDispatcher("/login.do"); dispatcher.forward (request, response); return; } } } Hope that helps. dave On Thu, 2004-02-26 at 18:19, Steven J. Owens wrote: > Hi folks, > > The most common (and frustrating) bookmarked login page gotcha > with J2EE authentication has been oft-discussed (broken as designed) > on this list. > > What are people's favorite alternatives to J2EE authentication? > And why? > > Something I'm particularly interested is alternatives that don't > require me to rebuild the application from scratch. I'm looking at > tearing out the old login process and putting in a new one and I don't > really want to start the whole thing over. > > If I had to build it from scratch myself, I'd do it as a simple > Servlet filter that checks for a Principal object stored in the user's > HttpSession. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
