I would prefer to use the security constraints to protect
sensitive area. And in the logout action class, invalidate
the user's session and then forward to /logout.html.
In the logout.html page, you could add JavaScript
statement on top of it:
location.replace('/thank_you.html');
Once the thank_you.html is shown, the Back button
is disabled. The user will have no chance to back.
Make sure the thank_you.html is outside the security
constraints.
Jing
Netspread Carrier
http://www.netspread.com
On Thu, 24 Jun 2004 12:43:46 -0400, Mark R. Diggory wrote
> Amleto Di Salle wrote:
>
> > Behind the SecurityDelegate there is a DAO class which validate the user
> > using a Oracle DB.
> >
> > I have tried to use the servlet security model, but my problem is that
> > the authenticated user will have a custom menu depending to its roles.
>
> We do something similar, I have a navigation menu that has sections
> that are shown only if a user is in a specific role (i.e.
> request.isUserInRole("foo")). The roles are the groups the user
> belongs to in the ldap server. When the user is authenticated the
> roles are passed into the request via the Authenticator/Realm
> configuration of tomcat.
>
> > Furthermore the tables used in my application to validate the user are
> > different respected to Tomcat wants).
>
> Thats usually where the challenge arises in configuring the
> authentication. I'm not familiar enough with the Realm for
> connecting to Oracle.
>
> > Anyway I tried it when I was a beginner to Struts and in general to Web
> > Application (but not in Java! :-)). I will modify my application when I
> > have a more time, but I'm just curious to your solution.
> >
> > BR
> > /Amleto
> >
> >
> >
> > -----Messaggio originale-----
> > Da: Mark R. Diggory [mailto:[EMAIL PROTECTED]
> > Inviato: giovedì 24 giugno 2004 17.36
> > A: Struts Users Mailing List
> > Oggetto: Re: R: R: Back Browser Button After Logout and Reload so that
> > continue working
> >
> >
> > Where do you store your user information for authentication? What is
> > behind your SecurityDelegate object.
> >
> > Our current project uses Tomcat/Sruts, we use Form Authenticator and a
> > JNDIRealm to authenticate our users which are configured in the
> > server.xml, access to any webapplication resources is done via the the
> > servlet api via security constraints which are configured in the web.xml
> >
> > of the webapplication which allows us to block any restricted request
> > and forward it to the login form. I highly recommend using it over a
> > custom solution. Especially if you are trying to maintain a secure
> > application in production.
> >
> > -Mark
> >
> > Amleto Di Salle wrote:
> >
> >>Hi,
> >>I have the following classes and it seems to work:
> >>
> >>1)
> >>public class LoginAction extends Action {
> >>
> >> public ActionForward execute( ActionMapping actionMapping,
> >>ActionForm actionForm, HttpServletRequest httpServletRequest,
> >>HttpServletResponse httpServletResponse ) throws InvalidLoginException
> >
> >
> >>{
> >>
> >> String login = ( ( LoginForm ) actionForm ).getLogin();
> >> String password = ( ( LoginForm ) actionForm ).getPassword();
> >>
> >> SecurityDelegate securityDelegate = new SecurityDelegate();
> >> UserTO user = securityDelegate.autentication( login, password
> >>);
> >>
> >> HttpSession session = httpServletRequest.getSession( false );
> >> if ( session != null ) {
> >> session.invalidate();
> >> }
> >>
> >> session = httpServletRequest.getSession( true );
> >> session.setAttribute( Constants.USER_INFO, user );
> >>
> >> return actionMapping.findForward( Constants.WELCOME );
> >> }
> >>
> >>}
> >>
> >>2) I have a BaseAction class and my the other classes extend it.
> >>public abstract class BaseAction extends Action {
> >>
> >> public ActionForward execute( ActionMapping actionMapping,
> >>ActionForm actionForm, HttpServletRequest httpServletRequest,
> >>HttpServletResponse httpServletResponse ) throws
> >>UserNotLoggedException {
> >> HttpSession session = httpServletRequest.getSession( false );
> >> if ( session == null ) {
> >> throw new UserNotLoggedException( "User Not logged!" );
> >> }
> >>
> >> UserTO userTO = ( UserTO) session.getAttribute(
> >>Constants.USER_INFO );
> >> if ( userTO == null ) {
> >> throw new UserNotLoggedException( "User not Logged!" );
> >> }
> >> return doExecute( actionMapping, actionForm,
> >>httpServletRequest, httpServletResponse );
> >> }
> >>
> >> public abstract ActionForward doExecute( ActionMapping
> >>actionMapping, ActionForm actionForm, HttpServletRequest
> >>httpServletRequest, HttpServletResponse httpServletResponse ); }
> >>
> >>3)
> >>public class LogoutAction extends Action {
> >>
> >> public ActionForward execute( ActionMapping actionMapping,
> >>ActionForm actionForm, HttpServletRequest httpServletRequest,
> >>HttpServletResponse httpServletResponse ) {
> >>
> >> HttpSession session = httpServletRequest.getSession( false );
> >> if ( session != null ) {
> >> session.invalidate();
> >> }
> >> return actionMapping.findForward( Constants.SUCCESS );
> >> }
> >>
> >>}
> >>
> >>BR
> >>/Amleto
> >>
> >>
> >>-----Messaggio originale-----
> >>Da: manoj JC [mailto:[EMAIL PROTECTED]
> >>Inviato: giovedì 24 giugno 2004 17.15
> >>A: [EMAIL PROTECTED]
> >>Oggetto: RE: R: Back Browser Button After Logout and Reload so that
> >>continue working
> >>
> >>
> >>Along the same lines
> >>
> >>
> >>In the Login.do
> >>You should have something like
> >>HttpSession session = httpServletRequest.getSession( true ); if (
> >>session != null ) {
> >> session.setAttribute("loggedin", true);
> >>}
> >>
> >>And in Logout.do
> >>You should have something like
> >>HttpSession session = httpServletRequest.getSession( false ); if (
> >>session != null ) {
> >> session.setAttribute("loggedin", false);
> >>}
> >>
> >>The way I have done is, I have divided my action classes into two
> >>types. One for logged in users and other for not logged in users. In
> >>struts-config one
> >>of the attributs of the action class is "requiredlogin=yes" or
> >>"requiredlogin=no"
> >>
> >>In the actionservlet, I check if the current action's
> >>"requiredlogin=yes" if it is then check for the value
> >>session.getAttribute("loggedin"); If it is false, you redirect the
> >>page to a login.do else you would send it to correct
> >>action class.
> >>
> >>Folks, please let me know if this a convoluted way of achieving this.
> >>
> >>
> >>
> >>>From: "Amleto Di Salle" <[EMAIL PROTECTED]>
> >>>Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
> >>>To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]>
> >>>Subject: R: Back Browser Button After Logout and Reload so that
> >>>continue
> >>>working
> >>>Date: Thu, 24 Jun 2004 16:53:40 +0200
> >>>
> >>>Hi,
> >>>one possible solution is to invalidate the session inside the
> >>>"LogoffAction".
> >>>
> >>> HttpSession session = httpServletRequest.getSession( false );
> >>> if ( session != null ) {
> >>> session.invalidate();
> >>> }
> >>>
> >>>If you have already done and the problem remains, maybe you are using
> >>>HttpServletRequest.getSession() method (or getSession(true)) inside
> >>>the
> >>
> >>
> >>>Actions (or "BaseAction" if you use a base class for your all actions,
> >>>in order to validate the users).
> >>>
> >>>BR
> >>>/Amleto
> >>>
> >>>
> >>>-----Messaggio originale-----
> >>>Da: Ricardo Andres Quintero [mailto:[EMAIL PROTECTED]
> >>>Inviato: giovedì 24 giugno 2004 15.41
> >>>A: [EMAIL PROTECTED]
> >>>Oggetto: Back Browser Button After Logout and Reload so that continue
> >>>working
> >>>
> >>>
> >>>Hello my friends
> >>>Followed i attach a message i found in the internet.
> >>>I have found some conceptual solutions about this problem, but i DO
> >>>need an example that works to solve it.
> >>>
> >>>The conceptual solution talks about a token syncronizer. I don't know
> >>>how to write it.
> >>>
> >>>Thank you in advanced.
> >>>
> >>><%-- THE PROBLEM --%>
> >>>
> >>>Hello,
> >>>
> >>>I used Struts to develop a web app which has a login form to permit
> >>>access to different functionnalities via a menu page. I use a session
> >>>var I set at login to check if the user has not logged out. The
> >
> > problem
> >
> >>
> >>>that I have is, once I do the logoff, if I use the Back button of the
> >>>browser to the menu page and do a refresh a new session gets created
> >>>and I'm able to use the app. I have a filter to do the verification
> >
> > but
> >
> >>
> >>>I tried before doing it in each Action and I have the same problem. I
> >>>don't access .jsp pages directly, I have an Action for each of them. I
> >
> >
> >>>read some posts but none seems to talk about my specific problem.
> >>>
> >>>It sounds like a begginer caveat but I have no idea what should I do
> >>>or
> >>
> >>
> >>>what am I doing wrong. Any help appreciated,
> >>>
> >>>Cezar
> >>>
> >>><%-- END OF THE PROBLEM --%>
> >>>
> >>>
> >>>--
> >>>Ricardo Andrés Quintero R.
> >>>Ubiquando Ltda.
> >>>
> >>>
> >>>---------------------------------------------------------------------
> >>>To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>>For additional commands, e-mail: [EMAIL PROTECTED]
> >>>
> >>>
> >>>---------------------------------------------------------------------
> >>>To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>>For additional commands, e-mail: [EMAIL PROTECTED]
> >>>
> >>
> >>
> >>_________________________________________________________________
> >>Is your PC infected? Get a FREE online computer virus scan from
> >>McAfee®
> >>Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >
> >
>
> --
> Mark Diggory
> Software Developer
> Harvard MIT Data Center
> http://www.hmdc.harvard.edu
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
--
Ricardo Andrés Quintero R.
Ubiquando Ltda.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
