Our current project uses Tomcat/Sruts, we use Form Authenticator and a JNDIRealm to authenticate our users which are configured in the server.xml, access to any webapplication resources is done via the the servlet api via security constraints which are configured in the web.xml of the webapplication which allows us to block any restricted request and forward it to the login form. I highly recommend using it over a custom solution. Especially if you are trying to maintain a secure application in production.
-Mark
Amleto Di Salle wrote:
Hi, I have the following classes and it seems to work:
1) public class LoginAction extends Action {
public ActionForward execute( ActionMapping actionMapping, ActionForm actionForm, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse ) throws InvalidLoginException {
String login = ( ( LoginForm ) actionForm ).getLogin(); String password = ( ( LoginForm ) actionForm ).getPassword();
SecurityDelegate securityDelegate = new SecurityDelegate(); UserTO user = securityDelegate.autentication( login, password );
HttpSession session = httpServletRequest.getSession( false ); if ( session != null ) { session.invalidate(); }
session = httpServletRequest.getSession( true ); session.setAttribute( Constants.USER_INFO, user );
return actionMapping.findForward( Constants.WELCOME ); }
}
2) I have a BaseAction class and my the other classes extend it. public abstract class BaseAction extends Action {
public ActionForward execute( ActionMapping actionMapping, ActionForm actionForm, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse ) throws UserNotLoggedException { HttpSession session = httpServletRequest.getSession( false ); if ( session == null ) { throw new UserNotLoggedException( "User Not logged!" ); }
UserTO userTO = ( UserTO) session.getAttribute( Constants.USER_INFO ); if ( userTO == null ) { throw new UserNotLoggedException( "User not Logged!" ); } return doExecute( actionMapping, actionForm, httpServletRequest, httpServletResponse ); }
public abstract ActionForward doExecute( ActionMapping actionMapping, ActionForm actionForm, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse ); }
3) public class LogoutAction extends Action {
public ActionForward execute( ActionMapping actionMapping, ActionForm actionForm, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse ) {
HttpSession session = httpServletRequest.getSession( false ); if ( session != null ) { session.invalidate(); } return actionMapping.findForward( Constants.SUCCESS ); }
}
BR /Amleto
-----Messaggio originale-----
Da: manoj JC [mailto:[EMAIL PROTECTED] Inviato: giovedì 24 giugno 2004 17.15
A: [EMAIL PROTECTED]
Oggetto: RE: R: Back Browser Button After Logout and Reload so that
continue working
Along the same lines
In the Login.do You should have something like HttpSession session = httpServletRequest.getSession( true ); if ( session != null ) { session.setAttribute("loggedin", true); }
And in Logout.do You should have something like HttpSession session = httpServletRequest.getSession( false ); if ( session != null ) { session.setAttribute("loggedin", false); }
The way I have done is, I have divided my action classes into two types.
One for logged in users and other for not logged in users. In struts-config
one of the attributs of the action class is "requiredlogin=yes" or "requiredlogin=no"
In the actionservlet, I check if the current action's
"requiredlogin=yes" if it is then check for the value
session.getAttribute("loggedin"); If it is false, you redirect the page to a login.do else you would send it to
correct action class.
Folks, please let me know if this a convoluted way of achieving this.
From: "Amleto Di Salle" <[EMAIL PROTECTED]>
Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]>
Subject: R: Back Browser Button After Logout and Reload so that continue
working
Date: Thu, 24 Jun 2004 16:53:40 +0200
Hi,
one possible solution is to invalidate the session inside the "LogoffAction".
HttpSession session = httpServletRequest.getSession( false ); if ( session != null ) { session.invalidate(); }
If you have already done and the problem remains, maybe you are using HttpServletRequest.getSession() method (or getSession(true)) inside the
Actions (or "BaseAction" if you use a base class for your all actions, in order to validate the users).
BR /Amleto
-----Messaggio originale-----
Da: Ricardo Andres Quintero [mailto:[EMAIL PROTECTED]
Inviato: giovedì 24 giugno 2004 15.41
A: [EMAIL PROTECTED]
Oggetto: Back Browser Button After Logout and Reload so that continue working
Hello my friends Followed i attach a message i found in the internet. I have found some conceptual solutions about this problem, but i DO need an example that works to solve it.
The conceptual solution talks about a token syncronizer. I don't know how to write it.
Thank you in advanced.
<%-- THE PROBLEM --%>
Hello,
I used Struts to develop a web app which has a login form to permit access to different functionnalities via a menu page. I use a session var I set at login to check if the user has not logged out. The problem
that I have is, once I do the logoff, if I use the Back button of the browser to the menu page and do a refresh a new session gets created and I'm able to use the app. I have a filter to do the verification but
I tried before doing it in each Action and I have the same problem. I don't access .jsp pages directly, I have an Action for each of them. I read some posts but none seems to talk about my specific problem.
It sounds like a begginer caveat but I have no idea what should I do or
what am I doing wrong. Any help appreciated,
Cezar
<%-- END OF THE PROBLEM --%>
-- Ricardo Andrés Quintero R. Ubiquando Ltda.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Mark Diggory Software Developer Harvard MIT Data Center http://www.hmdc.harvard.edu
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
