Behind the SecurityDelegate there is a DAO class which validate the user using a Oracle DB.
I have tried to use the servlet security model, but my problem is that the authenticated user will have a custom menu depending to its roles. Furthermore the tables used in my application to validate the user are different respected to Tomcat wants). Anyway I tried it when I was a beginner to Struts and in general to Web Application (but not in Java! :-)). I will modify my application when I have a more time, but I'm just curious to your solution. BR /Amleto -----Messaggio originale----- Da: Mark R. Diggory [mailto:[EMAIL PROTECTED] Inviato: giovedì 24 giugno 2004 17.36 A: Struts Users Mailing List Oggetto: Re: R: R: Back Browser Button After Logout and Reload so that continue working Where do you store your user information for authentication? What is behind your SecurityDelegate object. Our current project uses Tomcat/Sruts, we use Form Authenticator and a JNDIRealm to authenticate our users which are configured in the server.xml, access to any webapplication resources is done via the the servlet api via security constraints which are configured in the web.xml of the webapplication which allows us to block any restricted request and forward it to the login form. I highly recommend using it over a custom solution. Especially if you are trying to maintain a secure application in production. -Mark Amleto Di Salle wrote: > Hi, > I have the following classes and it seems to work: > > 1) > public class LoginAction extends Action { > > public ActionForward execute( ActionMapping actionMapping, > ActionForm actionForm, HttpServletRequest httpServletRequest, > HttpServletResponse httpServletResponse ) throws InvalidLoginException > { > > String login = ( ( LoginForm ) actionForm ).getLogin(); > String password = ( ( LoginForm ) actionForm ).getPassword(); > > SecurityDelegate securityDelegate = new SecurityDelegate(); > UserTO user = securityDelegate.autentication( login, password > ); > > HttpSession session = httpServletRequest.getSession( false ); > if ( session != null ) { > session.invalidate(); > } > > session = httpServletRequest.getSession( true ); > session.setAttribute( Constants.USER_INFO, user ); > > return actionMapping.findForward( Constants.WELCOME ); > } > > } > > 2) I have a BaseAction class and my the other classes extend it. > public abstract class BaseAction extends Action { > > public ActionForward execute( ActionMapping actionMapping, > ActionForm actionForm, HttpServletRequest httpServletRequest, > HttpServletResponse httpServletResponse ) throws > UserNotLoggedException { > HttpSession session = httpServletRequest.getSession( false ); > if ( session == null ) { > throw new UserNotLoggedException( "User Not logged!" ); > } > > UserTO userTO = ( UserTO) session.getAttribute( > Constants.USER_INFO ); > if ( userTO == null ) { > throw new UserNotLoggedException( "User not Logged!" ); > } > return doExecute( actionMapping, actionForm, > httpServletRequest, httpServletResponse ); > } > > public abstract ActionForward doExecute( ActionMapping > actionMapping, ActionForm actionForm, HttpServletRequest > httpServletRequest, HttpServletResponse httpServletResponse ); } > > 3) > public class LogoutAction extends Action { > > public ActionForward execute( ActionMapping actionMapping, > ActionForm actionForm, HttpServletRequest httpServletRequest, > HttpServletResponse httpServletResponse ) { > > HttpSession session = httpServletRequest.getSession( false ); > if ( session != null ) { > session.invalidate(); > } > return actionMapping.findForward( Constants.SUCCESS ); > } > > } > > BR > /Amleto > > > -----Messaggio originale----- > Da: manoj JC [mailto:[EMAIL PROTECTED] > Inviato: giovedì 24 giugno 2004 17.15 > A: [EMAIL PROTECTED] > Oggetto: RE: R: Back Browser Button After Logout and Reload so that > continue working > > > Along the same lines > > > In the Login.do > You should have something like > HttpSession session = httpServletRequest.getSession( true ); if ( > session != null ) { > session.setAttribute("loggedin", true); > } > > And in Logout.do > You should have something like > HttpSession session = httpServletRequest.getSession( false ); if ( > session != null ) { > session.setAttribute("loggedin", false); > } > > The way I have done is, I have divided my action classes into two > types. One for logged in users and other for not logged in users. In > struts-config one > of the attributs of the action class is "requiredlogin=yes" or > "requiredlogin=no" > > In the actionservlet, I check if the current action's > "requiredlogin=yes" if it is then check for the value > session.getAttribute("loggedin"); If it is false, you redirect the > page to a login.do else you would send it to correct > action class. > > Folks, please let me know if this a convoluted way of achieving this. > > >>From: "Amleto Di Salle" <[EMAIL PROTECTED]> >>Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> >>To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> >>Subject: R: Back Browser Button After Logout and Reload so that >>continue >>working >>Date: Thu, 24 Jun 2004 16:53:40 +0200 >> >>Hi, >>one possible solution is to invalidate the session inside the >>"LogoffAction". >> >> HttpSession session = httpServletRequest.getSession( false ); >> if ( session != null ) { >> session.invalidate(); >> } >> >>If you have already done and the problem remains, maybe you are using >>HttpServletRequest.getSession() method (or getSession(true)) inside >>the > > >>Actions (or "BaseAction" if you use a base class for your all actions, >>in order to validate the users). >> >>BR >>/Amleto >> >> >>-----Messaggio originale----- >>Da: Ricardo Andres Quintero [mailto:[EMAIL PROTECTED] >>Inviato: giovedì 24 giugno 2004 15.41 >>A: [EMAIL PROTECTED] >>Oggetto: Back Browser Button After Logout and Reload so that continue >>working >> >> >>Hello my friends >>Followed i attach a message i found in the internet. >>I have found some conceptual solutions about this problem, but i DO >>need an example that works to solve it. >> >>The conceptual solution talks about a token syncronizer. I don't know >>how to write it. >> >>Thank you in advanced. >> >><%-- THE PROBLEM --%> >> >>Hello, >> >>I used Struts to develop a web app which has a login form to permit >>access to different functionnalities via a menu page. I use a session >>var I set at login to check if the user has not logged out. The problem > > >>that I have is, once I do the logoff, if I use the Back button of the >>browser to the menu page and do a refresh a new session gets created >>and I'm able to use the app. I have a filter to do the verification but > > >>I tried before doing it in each Action and I have the same problem. I >>don't access .jsp pages directly, I have an Action for each of them. I >>read some posts but none seems to talk about my specific problem. >> >>It sounds like a begginer caveat but I have no idea what should I do >>or > > >>what am I doing wrong. Any help appreciated, >> >>Cezar >> >><%-- END OF THE PROBLEM --%> >> >> >>-- >>Ricardo Andrés Quintero R. >>Ubiquando Ltda. >> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> > > > _________________________________________________________________ > Is your PC infected? Get a FREE online computer virus scan from > McAfee® > Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- Mark Diggory Software Developer Harvard MIT Data Center http://www.hmdc.harvard.edu --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
