struts Dude wrote:
Yes, the user principal lives in the session. When the session expires or is invalidated you are logged out. This makes logout buttons easy too, just do session.invalidate() and the user can log in as a new user.Thanks Jason.
Problem solved. Wooohooo.
Correct me if I am wrong, it looks like
I am automatically log out after login if
I do nothing after some time. How
do I make session last for duration of
browser life or till user log out explicitly?
You can manually set the session timeout on the session object (I believe), or in your web.xml you can use
<session-config>
<session-timeout>30</session-timeout>
</session-config>
with the number of minutes you want the session to live.
Also found out that I don't need a separate login
form for each different user. 1 login form for all
user is allowed. duuhh me.
yep
Using the security constraint means you can also protect static html pages too. If you have /admin/abc.html or /admin/abc.jpg these would need the user to be logged in as admin to view them. What ever is easiest for you. It can be nice to know that any thing in /admin/* needs a role of admin to access it, where as if you forget to add role="admin" to an action you might not notice.I don't quiet see the need to define restricted URL in securityfilter-config.xml as
<security-constraint> <web-resource-collection> <web-resource-name>Admin Page</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
if I simply add roles attribute in action mapping of struts-config.xml.
All my restricted action mapping has user roles attribute rather than
using path attribute e.g. path="admin/bla". I hope that is not bad practice.
Also, it looks there is no way to use client/server side struts validation
to
convey error message on login form. E.g. password is incorrect.
Yes, sort of. If your securityfilter-config.xml does this:
<form-error-page>/LoginError.do</form-error-page>
Then the LoginError action can put the error messages into the ActionErrors like any action does, then display the login.jsp. login.jsp can display the error messages as you would normally. You won't know whether the password or username were incorrect. So a generic try again message should be ok.
----- Original Message ----- From: "Jason Lea" <[EMAIL PROTECTED]>
To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
Sent: Tuesday, August 31, 2004 1:06 PM
Subject: Re: SecurityFilter Question?
butstruts Dude wrote:
You don't have to use a filter though, you could make a base action that does puts the bean into session and have all your actions sub-class that one.
Using action to put bean in Session after SecurityFilter, how is that possible when after authentication by SecurityFilter, u taken right back to /user/abc.do where u 1st request it and doesn't pass through to action attribute as specified in action-mapping of struts-config.xml?
you create a base class like
public class BaseAction extends Action { public ActionForward execute(...){ ... do stuff that every action needs, eg checking for/putting user bean in session } }
Then your other actions do something like this
public class MyFirstAction extends BaseAction { public ActionForward execute(...){ super.execute(...);
... do whatever your action does } }
This way, the piece of code that you want every action to execute is in one place.
I have tried to use action, after authentication, I am indeed taken back to the page /admin/logon.do or /user/logon.do and got error message in browser:
HTTP Status 400 - Invalid path /admin/Logon was requested
message Invalid path /admin/Logon was requested
description The request sent by the client was syntactically incorrect (Invalid path /admin/Logon was requested).
Is that the url you tried to access or was it something in the securityfilter-config.xml? Whatever it is, it's missing the .do at the end eg /admin/Logon.do. But if it is in the securityfilter-config.xml as a login form then it is wrong, as only administrators can access /admin/*
-------------
My action mapping is struts-conf.xml
Both
<action path="/admin/Logon.do" type="org.apache.struts.actions.ForwardAction" parameter="LogAction.do?action=logon"/>
<action path="/user/Logon.do" type="org.apache.struts.actions.ForwardAction" parameter="LogAction.do?action=logon"/>
<!-- My LogAction extends DispatchAction and will try
to put User bean in session. -->
or
<action path="/admin/Logon.do" type="org.apache.struts.actions.ForwardAction" parameter="Welcome.do"/> <action path="/user/Logon.do" type="org.apache.struts.actions.ForwardAction" parameter="Welcome.do"/>
won't work.
-----------------------
BTW, how wud u use html:form to display login fields?
I can't get struts tag to work with login fields except for using things like:
<form action="j_security_check" method="POST"> Username: <input type="text" name="j_username"><p> Password: <input type="password" name="j_password"><p> <input type="Submit">
</form>
Don't know about html:form - i use something like you have done.
------------------
Ok, using filter (as u said) after SecurityFilter wud solve this simply
I like to stick with pure Struts approach if possible.
Struts is sitll happy to use filters - it was created before filters existed. It really comes down to what you are happy with and what level of container you want your app to work with.
Thanks
Jason Lea
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Jason Lea
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Jason Lea
