Here's the filter I use. It contains some logging that you can choose to
ignore and I also set some session attributes that I use for navigation
AFTER the re-login, to get the user back to the page they were on or as
near as possible, given only their first/last name and password. I also
included the configuration I added to my web.xml file to activate the
filter for all actions beginning with "/secure/" Then, I added "/secure/"
to all actions that should use the filter. I did this for all actions
except the following, for which it would have introduced a pretty obvious
logic error: login, register, and an action I use to direct the user back
to the page they were on before the timeout.
Here's the filter
*******************************************************************************************************
/****************************************************************************
*
* This class provides a servlet filter ensure that each request is coming
from
* an authenticated user. It also logs each servlet invocation.
*
****************************************************************************/
package schs82;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import org.apache.struts.action.*;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import java.text.DateFormat;
import schs82.*;
public final class AuthenticationFilter implements Filter {
private Log logger;
public void init(javax.servlet.FilterConfig filterConfig)
throws javax.servlet.ServletException {
logger = LogFactory.getLog("SCHS82");
}
public void doFilter(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain filterChain)
throws java.io.IOException, javax.servlet.ServletException
{
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse resp = (HttpServletResponse)response;
HttpSession session = req.getSession();
String firstName = (String)session.getAttribute("firstName");
String lastName = (String)session.getAttribute("lastName");
String password = (String)session.getAttribute("password");
String currentAction = req.getRequestURI();
session.setAttribute("currentAction", currentAction);
session.setAttribute("currentActionDisposition", "");
session.setAttribute("currentActionMessage", "");
if (logger.isInfoEnabled()) {
// log each servlet invoked, date/time and user who invoked
GregorianCalendar calendar = new GregorianCalendar();
java.util.Date dateTime = calendar.getTime();
DateFormat format =
DateFormat.getDateTimeInstance(DateFormat.MEDIUM, DateFormat.LONG);
String now = format.format(dateTime);
logger.info(" " + now
+ " User: " + firstName
+ " " + lastName
+ ", Servlet: " + currentAction);
}
if (session.isNew()) {
// session timed-out
session.setAttribute("currentActionDisposition",
"sessionTimeout");
session.setAttribute("currentActionMessage", "You were
inactive" +
" too long, so you must login again!
Please" +
" click on the button below to go to the"
+
" login page.");
resp.sendRedirect("/schs82/BuildActionResultViewAction.do");
}
else if (firstName == null || lastName == null || password ==
null) {
if (logger.isInfoEnabled()) {
logger.info("NON-AUTHENTICATED USER ATTEMPTED TO ACCESS
SCHS82 "
+ "APPLICATION! (Session attributes = Null)");
}
session.setAttribute("currentActionDisposition",
"systemError");
session.setAttribute("currentActionMessage", "You have
accessed" +
" SCHS82.com in a non-authorized way.
Please" +
" click on the button below to go to the"
+
" login page.");
resp.sendRedirect("/schs82/BuildActionResultViewAction.do");
}
else {
//authenticate user
User user = new User();
user.setFirstName(firstName);
user.setLastName(lastName);
user.setPassword(password);
if (user.checkAuthorization()) {
//user is authentic
filterChain.doFilter(request, response);
}
else {
//user is NOT authentic
if (logger.isInfoEnabled()) {
logger.info("NON-AUTHENTICATED USER ATTEMPTED TO
ACCESS "
+ "SCHS82 APPLICATION! (Invalid name or
password)");
}
session.setAttribute("currentActionDisposition",
"systemError");
session.setAttribute("currentActionMessage", "You have
accessed" +
" SCHS82.com in a non-authorized way.
Please" +
" click on the button below to go to
the" +
" login page.");
resp.sendRedirect("/schs82/BuildActionResultViewAction.do");
}
}
}
public void destroy() {}
}
And this must be added to web.xml
*******************************************************************************************************
<filter>
<filter-name>AuthenticationFilter</filter-name>
<filter-class>schs82.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>
Dakota Jack <[EMAIL PROTECTED]>
01/20/2005 09:53 AM
Please respond to "Struts Users Mailing List"
To: Struts Users Mailing List <user@struts.apache.org>,
[EMAIL PROTECTED]
cc:
Subject: Re: Session Strategy
I am also too lazy to make a filter! LOL ;-) Anyone have one of
these in their toolbox they would like to share?
Jack
On Thu, 20 Jan 2005 12:49:41 +0800, Andrew Hill
<[EMAIL PROTECTED]> wrote:
> Id support the filter suggestion, though for myself I generally do the
> check in the RequestProcessor, as Ive usually overrideen it to perform
> other evil anyhow, and Im lazy to make a filter.
>
> If you dont keep your JSP under WEB-INF (IMHO thats where they belong
> because they are 'code & config' , just like your classes,jars, and
> struts-config.xml and tlds) then you should declare some sort of
> security constraint so they can only be reached by a server side forward
> from their respective preperation action.
>
>
> Frank W. Zammetti wrote:
>
> > If the user clicks a button, you are either going to (a) go directly
to
> > a JSP, which is generally not a good idea in a Struts-based
application
> > anyway (or any servlet-based application for that matter) or (b) go to
> > an Action, as you probably should be doing. In either case, choice 1
is
> > what I would do personally. Putting things under WEB-INF as David
> > suggests works great, but it just feels kind of wrong to me.
> >
> > You'll also want to call some common code from all your Actions that
> > does the same basic check and forwards immediately to your "logon
again"
> > page. I do this by means of an ActionHelpers class that has two
static
> > methods, start() and finish() that are called, as I'm sure you could
> > guess, at the start and end of all my Actions. They do some common
> > tasks, including this check.
> >
> > If you want a real solution though, externalize your security using
> > something like Netegrity Siteminder. It will deal with this situation
> > for you, in a theoretically more secure fashion than you could
probably
> > do on your own.
> >
> > Yet another idea is a filter that will check if a session is alive and
> > redirect as appropriate. This I believe can work no matter what your
> > request is to (Action or JSP directly), or any other resource,
assuming
> > the app server serves everything.
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
------------------------------
"You can lead a horse to water but you cannot make it float on its back."
~Dakota Jack~
"You can't wake a person who is pretending to be asleep."
~Native Proverb~
"Each man is good in His sight. It is not necessary for eagles to be
crows."
~Hunkesni (Sitting Bull), Hunkpapa Sioux~
-----------------------------------------------
"This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail
and delete this message. Thank you for your cooperation."
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
