You can do this using request.getSession( false ) (false doesn't create the session) and use the following in the tag in the web.xml.
<session-config> <session-timeout>30</session-timeout> </session-config> 30 are minutes You can set the session-timeout also in the web container (see tomcat documentation). BR /Amleto > -----Messaggio originale----- > Da: Dakota Jack [mailto:[EMAIL PROTECTED] > Inviato: giovedì 20 gennaio 2005 17.08 > A: Struts Users Mailing List > Oggetto: Re: Session Strategy (here's a filter) > > > I was looking for a filter that detected sessions that had > expired and rerouted the request to a login or other appropriate page. > > Jack > > > On Thu, 20 Jan 2005 10:53:09 -0500, > [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Here's the filter I use. It contains some logging that you > can choose > > to ignore and I also set some session attributes that I use for > > navigation AFTER the re-login, to get the user back to the > page they > > were on or as near as possible, given only their first/last > name and > > password. I also included the configuration I added to my web.xml > > file to activate the filter for all actions beginning with > "/secure/" > > Then, I added "/secure/" to all actions that should use the > filter. I > > did this for all actions except the following, for which it > would have > > introduced a pretty obvious logic error: login, register, and an > > action I use to direct the user back to the page they were > on before > > the timeout. > > > > Here's the filter > > > ********************************************************************** > > ********************************* > > > > > /********************************************************************* > > ******* > > * > > * This class provides a servlet filter ensure that each > request is coming > > from > > * an authenticated user. It also logs each servlet invocation. > > * > > > > > ********************************************************************** > > ******/ > > package schs82; > > > > import java.util.*; > > import javax.servlet.*; > > import javax.servlet.http.*; > > import org.apache.struts.action.*; > > import org.apache.commons.logging.Log; > > import org.apache.commons.logging.LogFactory; > > import java.text.DateFormat; > > import schs82.*; > > > > public final class AuthenticationFilter implements Filter { > > > > private Log logger; > > > > public void init(javax.servlet.FilterConfig filterConfig) > > throws javax.servlet.ServletException { > > > > logger = LogFactory.getLog("SCHS82"); > > } > > > > public void doFilter(javax.servlet.ServletRequest request, > > javax.servlet.ServletResponse response, > > javax.servlet.FilterChain filterChain) > > throws java.io.IOException, > > javax.servlet.ServletException { > > > > HttpServletRequest req = (HttpServletRequest)request; > > HttpServletResponse resp = (HttpServletResponse)response; > > > > HttpSession session = req.getSession(); > > String firstName = > (String)session.getAttribute("firstName"); > > String lastName = (String)session.getAttribute("lastName"); > > String password = (String)session.getAttribute("password"); > > String currentAction = req.getRequestURI(); > > session.setAttribute("currentAction", currentAction); > > session.setAttribute("currentActionDisposition", ""); > > session.setAttribute("currentActionMessage", ""); > > > > if (logger.isInfoEnabled()) { > > // log each servlet invoked, date/time and user > who invoked > > GregorianCalendar calendar = new GregorianCalendar(); > > java.util.Date dateTime = calendar.getTime(); > > DateFormat format = > > DateFormat.getDateTimeInstance(DateFormat.MEDIUM, DateFormat.LONG); > > String now = format.format(dateTime); > > > > logger.info(" " + now > > + " User: " + firstName > > + " " + lastName > > + ", Servlet: " + currentAction); > > } > > > > if (session.isNew()) { > > // session timed-out > > session.setAttribute("currentActionDisposition", > > "sessionTimeout"); > > session.setAttribute("currentActionMessage", "You were > > inactive" + > > " too long, so you must > login again! > > Please" + > > " click on the button > below to go to > > the" > > + > > " login page."); > > > > > resp.sendRedirect("/schs82/BuildActionResultViewAction.do"); > > } > > else if (firstName == null || lastName == null || > password == > > null) { > > if (logger.isInfoEnabled()) { > > logger.info("NON-AUTHENTICATED USER ATTEMPTED TO > > ACCESS SCHS82 " > > + "APPLICATION! (Session > attributes = Null)"); > > } > > session.setAttribute("currentActionDisposition", > > "systemError"); > > session.setAttribute("currentActionMessage", "You have > > accessed" + > > " SCHS82.com in a > non-authorized way. > > Please" + > > " click on the button > below to go to > > the" > > + > > " login page."); > > > > > resp.sendRedirect("/schs82/BuildActionResultViewAction.do"); > > } > > else { > > //authenticate user > > User user = new User(); > > user.setFirstName(firstName); > > user.setLastName(lastName); > > user.setPassword(password); > > if (user.checkAuthorization()) { > > //user is authentic > > filterChain.doFilter(request, response); > > } > > else { > > //user is NOT authentic > > if (logger.isInfoEnabled()) { > > logger.info("NON-AUTHENTICATED USER > ATTEMPTED TO > > ACCESS " > > + "SCHS82 APPLICATION! (Invalid name or > > password)"); > > } > > session.setAttribute("currentActionDisposition", > > "systemError"); > > > session.setAttribute("currentActionMessage", "You have > > accessed" + > > " SCHS82.com in a > non-authorized > > way. Please" + > > " click on the button > below to go > > to the" + > > " login page."); > > > > resp.sendRedirect("/schs82/BuildActionResultViewAction.do"); > > } > > } > > } > > > > public void destroy() {} > > } > > > > And this must be added to web.xml > > > ********************************************************************** > > ********************************* > > > > <filter> > > <filter-name>AuthenticationFilter</filter-name> > > <filter-class>schs82.AuthenticationFilter</filter-class> > > </filter> > > > > <filter-mapping> > > <filter-name>AuthenticationFilter</filter-name> > > <url-pattern>/secure/*</url-pattern> > > </filter-mapping> > > > > Dakota Jack <[EMAIL PROTECTED]> > > 01/20/2005 09:53 AM > > Please respond to "Struts Users Mailing List" > > > > To: Struts Users Mailing List <user@struts.apache.org>, > > [EMAIL PROTECTED] > > cc: > > Subject: Re: Session Strategy > > > > I am also too lazy to make a filter! LOL ;-) Anyone have one of > > these in their toolbox they would like to share? > > > > Jack > > > > On Thu, 20 Jan 2005 12:49:41 +0800, Andrew Hill > > <[EMAIL PROTECTED]> wrote: > > > Id support the filter suggestion, though for myself I > generally do > > > the check in the RequestProcessor, as Ive usually > overrideen it to > > > perform other evil anyhow, and Im lazy to make a filter. > > > > > > If you dont keep your JSP under WEB-INF (IMHO thats where they > > > belong because they are 'code & config' , just like your > > > classes,jars, and struts-config.xml and tlds) then you should > > > declare some sort of security constraint so they can only > be reached > > > by a server side forward from their respective preperation action. > > > > > > > > > Frank W. Zammetti wrote: > > > > > > > If the user clicks a button, you are either going to (a) go > > > > directly > > to > > > > a JSP, which is generally not a good idea in a Struts-based > > application > > > > anyway (or any servlet-based application for that > matter) or (b) > > > > go to an Action, as you probably should be doing. In > either case, > > > > choice 1 > > is > > > > what I would do personally. Putting things under > WEB-INF as David > > > > suggests works great, but it just feels kind of wrong to me. > > > > > > > > You'll also want to call some common code from all your Actions > > > > that does the same basic check and forwards immediately to your > > > > "logon > > again" > > > > page. I do this by means of an ActionHelpers class that has two > > static > > > > methods, start() and finish() that are called, as I'm sure you > > > > could guess, at the start and end of all my Actions. > They do some > > > > common tasks, including this check. > > > > > > > > If you want a real solution though, externalize your security > > > > using something like Netegrity Siteminder. It will > deal with this > > > > situation for you, in a theoretically more secure > fashion than you > > > > could > > probably > > > > do on your own. > > > > > > > > Yet another idea is a filter that will check if a > session is alive > > > > and redirect as appropriate. This I believe can work no matter > > > > what your request is to (Action or JSP directly), or any other > > > > resource, > > assuming > > > > the app server serves everything. > > > > > > > > > > > -------------------------------------------------------------------- > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > -- > > ------------------------------ > > > > "You can lead a horse to water but you cannot make it float on its > > back." > > > > ~Dakota Jack~ > > > > "You can't wake a person who is pretending to be asleep." > > > > ~Native Proverb~ > > > > "Each man is good in His sight. It is not necessary for > eagles to be > > crows." > > > > ~Hunkesni (Sitting Bull), Hunkpapa Sioux~ > > > > ----------------------------------------------- > > > > "This message may contain confidential and/or privileged > information. > > If you are not the addressee or authorized to receive this for the > > addressee, you must not use, copy, disclose, or take any > action based > > on this message or any information herein. If you have > received this > > message in error, please advise the sender immediately by > reply e-mail > > and delete this message. Thank you for your cooperation." > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > -- > ------------------------------ > > "You can lead a horse to water but you cannot make it float > on its back." > > ~Dakota Jack~ > > "You can't wake a person who is pretending to be asleep." > > ~Native Proverb~ > > "Each man is good in His sight. It is not necessary for > eagles to be crows." > > ~Hunkesni (Sitting Bull), Hunkpapa Sioux~ > > ----------------------------------------------- > > "This message may contain confidential and/or privileged > information. If you are not the addressee or authorized to > receive this for the addressee, you must not use, copy, > disclose, or take any action based on this message or any > information herein. If you have received this message in > error, please advise the sender immediately by reply e-mail > and delete this message. Thank you for your cooperation." > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.300 / Virus Database: 265.7.0 - Release Date: 17/01/2005 > > -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.0 - Release Date: 17/01/2005 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
