struts Dude wrote:
----- Original Message ----- From: "Jason Lea" <[EMAIL PROTECTED]>
To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
Sent: Sunday, August 29, 2004 11:04 PM
Subject: Re: SecurityFilter Question?
As for populating a User bean into a session once they are authenticated.... I have done this in the past with a filter. I place it after the security filter in the chain of filters. It checks if the user is logged in, if they are and there is no session bean, the filter creates+populates the bean and stores it in the session ready for any action that needs to use it.
Can't u do this using an Action? Say, accessing /admin/LogAction.do
invokes SecurityFilter, after authentication by SecurityFilter is passed, go directly to LogAction as below
The problem comes if the user bookmarks a url like /user/abc.do, starts up their browser and goes directly to the protected URL. The security filter will take them to the login form, they submit username/password and seucirty filter authenticates them. Once they are authenticated they are redirected back to /users/abc.do - they don't pass through LogAction at all. So I normally have a filter that makes sure the bean is in session from where ever they are called.
You don't have to use a filter though, you could make a base action that does puts the bean into session and have all your actions sub-class that one.
<action path="/admin/LogAction" type="app.LogAction" name="logonForm" scope="request" input="/pages/Logon.jsp" parameter="action"
validate="false">
<forward
name="success"
path="/pages/Welcome.jsp"/>
</action>
Within LogAction class, construct User bean from logonForm and add it to session. Is that possible or is the request parameters from logonForm lost?
Can u be more specific of how u use a filter right after security
filter to populate User bean and put it in Session?
example:
public class LoginFilter implements Filter {public static final String USER_BEAN_KEY = "USER_BEAN_KEY"; private FilterConfig filterConfig;
public void init(FilterConfig config) throws ServletException {
this.filterConfig = config;
} public void destroy() {
}public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)req;
HttpSession session = request.getSession(); if (null == session.getAttribute(USER_BEAN_KEY)
&& null != request.getUserPrincipal()) {
session.setAttribute(USER_BEAN_KEY, request.getUserPrincipal());// do your post authentication stuff here
Principal principal = request.getUserPrincipal();
...
}
chain.doFilter(req, res);
}
}
and in the web.xml:
<filter-mapping>
<filter-name>Security Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> <filter-mapping>
<filter-name>LoginFilter</filter-name>
</filter-mapping>I am thinking of somehow constructing User bean in subclass of SimpleSecurityRealmBase, then if authentication pass, store this bean somehow and pass it along to requested Action specified in struts-config.xml.
Another idea is to somehow integrate SimpleSecurityRealmBase into an Action class...
Thanks
In the struts config you can add a role="admin" parameter. It means struts will check that the user has that role before it allows the action to be executed. Can't remember what happens if they are not authenticated - might throw an exception that you can catch and display an error message?
struts Dude wrote:
Hi Jason,
How do I use a login form that branch out to 2
restricted area depending on user's role using
SecurityFilter? i.e.
- if user has user role and log on, give access
to /user/*
- if user has admin role and log on, give access
to /admin/*
The only way I can think of how to do this is to
use 2 links to 2 login forms, 1 form for each.
BTW, can I assign roles for each Action in struts-config.xml so that I don't have to
prefix path attribute of each Action with /user or /admin?
Thanks
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Jason Lea
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Jason Lea
