Amleto Di Salle wrote:
Behind the SecurityDelegate there is a DAO class which validate the user using a Oracle DB.
I have tried to use the servlet security model, but my problem is that the authenticated user will have a custom menu depending to its roles.
We do something similar, I have a navigation menu that has sections that are shown only if a user is in a specific role (i.e. request.isUserInRole("foo")). The roles are the groups the user belongs to in the ldap server. When the user is authenticated the roles are passed into the request via the Authenticator/Realm configuration of tomcat.
Furthermore the tables used in my application to validate the user are different respected to Tomcat wants).
Thats usually where the challenge arises in configuring the authentication. I'm not familiar enough with the Realm for connecting to Oracle.
Anyway I tried it when I was a beginner to Struts and in general to Web Application (but not in Java! :-)). I will modify my application when I have a more time, but I'm just curious to your solution.
BR /Amleto
-----Messaggio originale-----
Da: Mark R. Diggory [mailto:[EMAIL PROTECTED] Inviato: giovedì 24 giugno 2004 17.36
A: Struts Users Mailing List
Oggetto: Re: R: R: Back Browser Button After Logout and Reload so that
continue working
Where do you store your user information for authentication? What is behind your SecurityDelegate object.
Our current project uses Tomcat/Sruts, we use Form Authenticator and a JNDIRealm to authenticate our users which are configured in the server.xml, access to any webapplication resources is done via the the servlet api via security constraints which are configured in the web.xml
of the webapplication which allows us to block any restricted request and forward it to the login form. I highly recommend using it over a custom solution. Especially if you are trying to maintain a secure application in production.
-Mark
Amleto Di Salle wrote:
Hi, I have the following classes and it seems to work:
1) public class LoginAction extends Action {
public ActionForward execute( ActionMapping actionMapping, ActionForm actionForm, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse ) throws InvalidLoginException
{
String login = ( ( LoginForm ) actionForm ).getLogin(); String password = ( ( LoginForm ) actionForm ).getPassword();
SecurityDelegate securityDelegate = new SecurityDelegate();
UserTO user = securityDelegate.autentication( login, password );
HttpSession session = httpServletRequest.getSession( false ); if ( session != null ) { session.invalidate(); }
session = httpServletRequest.getSession( true ); session.setAttribute( Constants.USER_INFO, user );
return actionMapping.findForward( Constants.WELCOME ); }
}
2) I have a BaseAction class and my the other classes extend it. public abstract class BaseAction extends Action {
public ActionForward execute( ActionMapping actionMapping, ActionForm actionForm, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse ) throws UserNotLoggedException {
HttpSession session = httpServletRequest.getSession( false );
if ( session == null ) {
throw new UserNotLoggedException( "User Not logged!" );
}
UserTO userTO = ( UserTO) session.getAttribute( Constants.USER_INFO );
if ( userTO == null ) {
throw new UserNotLoggedException( "User not Logged!" );
}
return doExecute( actionMapping, actionForm, httpServletRequest, httpServletResponse );
}
public abstract ActionForward doExecute( ActionMapping actionMapping, ActionForm actionForm, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse ); }
3) public class LogoutAction extends Action {
public ActionForward execute( ActionMapping actionMapping, ActionForm actionForm, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse ) {
HttpSession session = httpServletRequest.getSession( false ); if ( session != null ) { session.invalidate(); } return actionMapping.findForward( Constants.SUCCESS ); }
}
BR /Amleto
-----Messaggio originale----- Da: manoj JC [mailto:[EMAIL PROTECTED] Inviato: giovedì 24 giugno 2004 17.15 A: [EMAIL PROTECTED] Oggetto: RE: R: Back Browser Button After Logout and Reload so that continue working
Along the same lines
In the Login.do
You should have something like
HttpSession session = httpServletRequest.getSession( true ); if ( session != null ) {
session.setAttribute("loggedin", true);
}
And in Logout.do
You should have something like
HttpSession session = httpServletRequest.getSession( false ); if ( session != null ) {
session.setAttribute("loggedin", false);
}
The way I have done is, I have divided my action classes into two types. One for logged in users and other for not logged in users. In struts-config one
of the attributs of the action class is "requiredlogin=yes" or "requiredlogin=no"
In the actionservlet, I check if the current action's "requiredlogin=yes" if it is then check for the value session.getAttribute("loggedin"); If it is false, you redirect the page to a login.do else you would send it to correct
action class.
Folks, please let me know if this a convoluted way of achieving this.
From: "Amleto Di Salle" <[EMAIL PROTECTED]> Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> Subject: R: Back Browser Button After Logout and Reload so that continue working Date: Thu, 24 Jun 2004 16:53:40 +0200
Hi, one possible solution is to invalidate the session inside the "LogoffAction".
HttpSession session = httpServletRequest.getSession( false ); if ( session != null ) { session.invalidate(); }
If you have already done and the problem remains, maybe you are using
HttpServletRequest.getSession() method (or getSession(true)) inside the
Actions (or "BaseAction" if you use a base class for your all actions, in order to validate the users).
BR /Amleto
-----Messaggio originale----- Da: Ricardo Andres Quintero [mailto:[EMAIL PROTECTED] Inviato: giovedì 24 giugno 2004 15.41 A: [EMAIL PROTECTED] Oggetto: Back Browser Button After Logout and Reload so that continue working
Hello my friends
Followed i attach a message i found in the internet.
I have found some conceptual solutions about this problem, but i DO need an example that works to solve it.
The conceptual solution talks about a token syncronizer. I don't know how to write it.
Thank you in advanced.
<%-- THE PROBLEM --%>
Hello,
I used Struts to develop a web app which has a login form to permit
access to different functionnalities via a menu page. I use a session var I set at login to check if the user has not logged out. The
problem
that I have is, once I do the logoff, if I use the Back button of the
browser to the menu page and do a refresh a new session gets created and I'm able to use the app. I have a filter to do the verification
but
I tried before doing it in each Action and I have the same problem. I don't access .jsp pages directly, I have an Action for each of them. I
read some posts but none seems to talk about my specific problem.
It sounds like a begginer caveat but I have no idea what should I do or
what am I doing wrong. Any help appreciated,
Cezar
<%-- END OF THE PROBLEM --%>
-- Ricardo Andrés Quintero R. Ubiquando Ltda.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee®
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Mark Diggory Software Developer Harvard MIT Data Center http://www.hmdc.harvard.edu
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
