On Wed, 26 Jun 2002 23:39, you wrote:
> I am trying to find out the "proper" way to do anonymous users. I've been
> looking through the docs, and mail list archives and I'm seeing conflicting
> - or vague info.
Your session validator (TemplateSessionValidator by default) sets the User in
the RunData object to be an anonymous user. An anonymous user is a user who
has not logged in yet, so they will have temporary storage but not permanent
storage (ie: they are associated with a session but none of their information
is stored in the database).
> Imagine say I have a public web enabled database where most people can
> search and view for free without registration as a user. Admin Users do
> need to be a registered and logged in user to perform administration
> functions.
This is a common requirement and is exactly what the Turbine security system
was designed for.
> I initially made all my screens and actions subclasses of SecureScreen and
> SecureAction by following the newapp example but of course some pages don't
> have to be secure. I have two choices as far as I can see.
>
> Option 1)
> I can change the relevant java classes to be subclasses of VelocityScreen
> and Velocity Action.
>
> Option 2)
> I can ammend the isAuthorized method of SecureScreen and SecureAction so
> that the user is automatically logged in as "Visitor" a special user I
> create for the normal user.
>
> Are either of these correct?
Option 3 is to write your own subclass of VelocityScreen and VelocityAction
called something like OWALVelocityScreen and OWALVelocityAction and write
your own security mechanism (it could be similar to the isAuthorized method)
and have all your screens and actions subclass your custom classes.
> With option 1 : does the user have a session ?
The Servlet Specification mandates that any user of a web application is
associated with a session (search for JSESSIONID in the servlet spec), so the
answer to this question is yes, anonymous users are associated with a session.
> With option 2 : do the users have separate sessions or do they share one?
Each user (or to be more precise, each browser) is associated with a separate
session (see the servlet spec).
> I am currently trying option 2 but I seem to have problems with sessions
> not working properly....
What sort of problems are you having?
> PS I am using TUrbine 2.1 and Tomcat 4.0.something in case that makes a big
> difference....
>
> Here is an example of the modified "isAuthorized" I am trying.
>
> protected boolean isAuthorized( RunData data ) throws Exception
> {
> boolean isAuthorized = false;
> AccessControlList acl = data.getACL();
> if (acl==null || ! acl.hasRole("turbine_root"))
> {
> try{
> Log.info("Attempting to setup a default login");
> // Alex's suggestion -->
> TurbineUser anonUser = (TurbineUser) TurbineSecurity.
> getAuthenticatedUser("visitor","visitor");
> if(anonUser != null) {
> Log.info("Attempting to login as user visitor");
> anonUser.setHasLoggedIn(new Boolean(true));
> data.setUser(anonUser);
> }else {
> Log.info("but unfortunately we redirect to the login
> screen")
> data.setScreenTemplate(
> TurbineResources.getString("template.login"));
> isAuthorized = false;
> }
> } catch (Exception e) {
> Log.error("When trying to set user as anonymous : " +
> e.toString());
> }
> }
> else if(acl.hasRole("turbine_root"))
> {
> isAuthorized = true;
> }
> return isAuthorized;
> }
You can just call data.getUser() from your isAuthorized method, the user in
the RunData object is set in the session validator action. So if you want to
check if a user has logged in yet, just call data.getUser().hasLoggedIn().
Hope that helps,
-- Rodney
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
