You'll also want to call some common code from all your Actions that does the same basic check and forwards immediately to your "logon again" page. I do this by means of an ActionHelpers class that has two static methods, start() and finish() that are called, as I'm sure you could guess, at the start and end of all my Actions. They do some common tasks, including this check.
If you want a real solution though, externalize your security using something like Netegrity Siteminder. It will deal with this situation for you, in a theoretically more secure fashion than you could probably do on your own.
Yet another idea is a filter that will check if a session is alive and redirect as appropriate. This I believe can work no matter what your request is to (Action or JSP directly), or any other resource, assuming the app server serves everything.
-- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com
David G. Friedman wrote:
I'll suggest option #3:
Hide all JSP's under /WEB-INF/pages (or something like that) so you need actions (or ForwardActions) to internally get to the JSP pages. Then, you can modify the RequestProcessor.processRoles() method to perform your security check for the session scope's userID object or redirect to a login page if no such object (or no session) exists. I've done this myself once or twice. :)
Regards, David
-----Original Message----- From: Jim Douglas [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 19, 2005 10:40 PM To: user@struts.apache.org Subject: Session Strategy
To all,
I have a web application that sets a session attribute with userID and a timeout in the config file that times out after 5 minutes in case the user walks away.
I am trying to figure out the best strategy to deal with cases where the user comes back after 5 minutes and clicks on a button anywhere in the app that requires that attribute that just expitred to have a valid value.
Should I,
1> Put code like this in the JSP,
<c:if test="${sessionScope.userID eq 'null'}"> forward to login page.... </c:if>
2> Or should I just put all the code in the class files, something like this,
Integer userID = (Integer)request.getSession().getAttribute("userID"); if (userID==null){ return mapping.findForward("failure"); }
Or 3> ?? I'm open to suggestions!
Thanks, Jim
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
