I was interested, again, in a filter.
Jack
On Thu, 20 Jan 2005 14:41:32 -0500, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> Dakota Jack wrote:
> I was looking for a filter that detected sessions that had expired and
> rerouted the request to a login or other appropriate page.
>
> --------------------------------------------
>
> That's what this does, specifically the following section of code:
>
> > if (session.isNew()) {
> > // session timed-out
> > session.setAttribute("currentActionDisposition",
> > "sessionTimeout");
> > session.setAttribute("currentActionMessage", "You were
> > inactive" +
> > " too long, so you must login again!
> > Please" +
> > " click on the button below to go to
> the"
> > +
> > " login page.");
> >
> > resp.sendRedirect("/schs82/BuildActionResultViewAction.do");
>
> Dakota Jack <[EMAIL PROTECTED]>
> 01/20/2005 11:07 AM
> Please respond to "Struts Users Mailing List"
>
> To: Struts Users Mailing List <user@struts.apache.org>
> cc:
> Subject: Re: Session Strategy (here's a filter)
>
>
> I was looking for a filter that detected sessions that had expired and
> rerouted the request to a login or other appropriate page.
>
> Jack
>
> On Thu, 20 Jan 2005 10:53:09 -0500, [EMAIL PROTECTED]
> <[EMAIL PROTECTED]> wrote:
> > Here's the filter I use. It contains some logging that you can choose
> to
> > ignore and I also set some session attributes that I use for navigation
> > AFTER the re-login, to get the user back to the page they were on or as
> > near as possible, given only their first/last name and password. I also
> > included the configuration I added to my web.xml file to activate the
> > filter for all actions beginning with "/secure/" Then, I added
> "/secure/"
> > to all actions that should use the filter. I did this for all actions
> > except the following, for which it would have introduced a pretty
> obvious
> > logic error: login, register, and an action I use to direct the user
> back
> > to the page they were on before the timeout.
> >
> > Here's the filter
> >
> *******************************************************************************************************
> >
> >
> /****************************************************************************
> > *
> > * This class provides a servlet filter ensure that each request is
> coming
> > from
> > * an authenticated user. It also logs each servlet invocation.
> > *
> >
> >
> ****************************************************************************/
> > package schs82;
> >
> > import java.util.*;
> > import javax.servlet.*;
> > import javax.servlet.http.*;
> > import org.apache.struts.action.*;
> > import org.apache.commons.logging.Log;
> > import org.apache.commons.logging.LogFactory;
> > import java.text.DateFormat;
> > import schs82.*;
> >
> > public final class AuthenticationFilter implements Filter {
> >
> > private Log logger;
> >
> > public void init(javax.servlet.FilterConfig filterConfig)
> > throws javax.servlet.ServletException {
> >
> > logger = LogFactory.getLog("SCHS82");
> > }
> >
> > public void doFilter(javax.servlet.ServletRequest request,
> > javax.servlet.ServletResponse response,
> > javax.servlet.FilterChain filterChain)
> > throws java.io.IOException,
> javax.servlet.ServletException
> > {
> >
> > HttpServletRequest req = (HttpServletRequest)request;
> > HttpServletResponse resp = (HttpServletResponse)response;
> >
> > HttpSession session = req.getSession();
> > String firstName = (String)session.getAttribute("firstName");
> > String lastName = (String)session.getAttribute("lastName");
> > String password = (String)session.getAttribute("password");
> > String currentAction = req.getRequestURI();
> > session.setAttribute("currentAction", currentAction);
> > session.setAttribute("currentActionDisposition", "");
> > session.setAttribute("currentActionMessage", "");
> >
> > if (logger.isInfoEnabled()) {
> > // log each servlet invoked, date/time and user who invoked
> > GregorianCalendar calendar = new GregorianCalendar();
> > java.util.Date dateTime = calendar.getTime();
> > DateFormat format =
> > DateFormat.getDateTimeInstance(DateFormat.MEDIUM, DateFormat.LONG);
> > String now = format.format(dateTime);
> >
> > logger.info(" " + now
> > + " User: " + firstName
> > + " " + lastName
> > + ", Servlet: " + currentAction);
> > }
> >
> > if (session.isNew()) {
> > // session timed-out
> > session.setAttribute("currentActionDisposition",
> > "sessionTimeout");
> > session.setAttribute("currentActionMessage", "You were
> > inactive" +
> > " too long, so you must login again!
> > Please" +
> > " click on the button below to go to
> the"
> > +
> > " login page.");
> >
> > resp.sendRedirect("/schs82/BuildActionResultViewAction.do");
> > }
> > else if (firstName == null || lastName == null || password ==
> > null) {
> > if (logger.isInfoEnabled()) {
> > logger.info("NON-AUTHENTICATED USER ATTEMPTED TO ACCESS
> > SCHS82 "
> > + "APPLICATION! (Session attributes = Null)");
> > }
> > session.setAttribute("currentActionDisposition",
> > "systemError");
> > session.setAttribute("currentActionMessage", "You have
> > accessed" +
> > " SCHS82.com in a non-authorized way.
> > Please" +
> > " click on the button below to go to
> the"
> > +
> > " login page.");
> >
> > resp.sendRedirect("/schs82/BuildActionResultViewAction.do");
> > }
> > else {
> > //authenticate user
> > User user = new User();
> > user.setFirstName(firstName);
> > user.setLastName(lastName);
> > user.setPassword(password);
> > if (user.checkAuthorization()) {
> > //user is authentic
> > filterChain.doFilter(request, response);
> > }
> > else {
> > //user is NOT authentic
> > if (logger.isInfoEnabled()) {
> > logger.info("NON-AUTHENTICATED USER ATTEMPTED TO
> > ACCESS "
> > + "SCHS82 APPLICATION! (Invalid name or
> > password)");
> > }
> > session.setAttribute("currentActionDisposition",
> > "systemError");
> > session.setAttribute("currentActionMessage", "You have
> > accessed" +
> > " SCHS82.com in a non-authorized
> way.
> > Please" +
> > " click on the button below to go
> to
> > the" +
> > " login page.");
> >
> > resp.sendRedirect("/schs82/BuildActionResultViewAction.do");
> > }
> > }
> > }
> >
> > public void destroy() {}
> > }
> >
> > And this must be added to web.xml
> >
> *******************************************************************************************************
> >
> > <filter>
> > <filter-name>AuthenticationFilter</filter-name>
> > <filter-class>schs82.AuthenticationFilter</filter-class>
> > </filter>
> >
> > <filter-mapping>
> > <filter-name>AuthenticationFilter</filter-name>
> > <url-pattern>/secure/*</url-pattern>
> > </filter-mapping>
> >
> > Dakota Jack <[EMAIL PROTECTED]>
> > 01/20/2005 09:53 AM
> > Please respond to "Struts Users Mailing List"
> >
> > To: Struts Users Mailing List <user@struts.apache.org>,
> > [EMAIL PROTECTED]
> > cc:
> > Subject: Re: Session Strategy
> >
> > I am also too lazy to make a filter! LOL ;-) Anyone have one of
> > these in their toolbox they would like to share?
> >
> > Jack
> >
> > On Thu, 20 Jan 2005 12:49:41 +0800, Andrew Hill
> > <[EMAIL PROTECTED]> wrote:
> > > Id support the filter suggestion, though for myself I generally do the
> > > check in the RequestProcessor, as Ive usually overrideen it to perform
> > > other evil anyhow, and Im lazy to make a filter.
> > >
> > > If you dont keep your JSP under WEB-INF (IMHO thats where they belong
> > > because they are 'code & config' , just like your classes,jars, and
> > > struts-config.xml and tlds) then you should declare some sort of
> > > security constraint so they can only be reached by a server side
> forward
> > > from their respective preperation action.
> > >
> > >
> > > Frank W. Zammetti wrote:
> > >
> > > > If the user clicks a button, you are either going to (a) go directly
> > to
> > > > a JSP, which is generally not a good idea in a Struts-based
> > application
> > > > anyway (or any servlet-based application for that matter) or (b) go
> to
> > > > an Action, as you probably should be doing. In either case, choice
> 1
> > is
> > > > what I would do personally. Putting things under WEB-INF as David
> > > > suggests works great, but it just feels kind of wrong to me.
> > > >
> > > > You'll also want to call some common code from all your Actions that
> > > > does the same basic check and forwards immediately to your "logon
> > again"
> > > > page. I do this by means of an ActionHelpers class that has two
> > static
> > > > methods, start() and finish() that are called, as I'm sure you could
> > > > guess, at the start and end of all my Actions. They do some common
> > > > tasks, including this check.
> > > >
> > > > If you want a real solution though, externalize your security using
> > > > something like Netegrity Siteminder. It will deal with this
> situation
> > > > for you, in a theoretically more secure fashion than you could
> > probably
> > > > do on your own.
> > > >
> > > > Yet another idea is a filter that will check if a session is alive
> and
> > > > redirect as appropriate. This I believe can work no matter what
> your
> > > > request is to (Action or JSP directly), or any other resource,
> > assuming
> > > > the app server serves everything.
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
> >
> > --
> > ------------------------------
> >
> > "You can lead a horse to water but you cannot make it float on its
> back."
> >
> > ~Dakota Jack~
> >
> > "You can't wake a person who is pretending to be asleep."
> >
> > ~Native Proverb~
> >
> > "Each man is good in His sight. It is not necessary for eagles to be
> > crows."
> >
> > ~Hunkesni (Sitting Bull), Hunkpapa Sioux~
> >
> > -----------------------------------------------
> >
> > "This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation."
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> --
> ------------------------------
>
> "You can lead a horse to water but you cannot make it float on its back."
>
> ~Dakota Jack~
>
> "You can't wake a person who is pretending to be asleep."
>
> ~Native Proverb~
>
> "Each man is good in His sight. It is not necessary for eagles to be
> crows."
>
> ~Hunkesni (Sitting Bull), Hunkpapa Sioux~
>
> -----------------------------------------------
>
> "This message may contain confidential and/or privileged information.
> If you are not the addressee or authorized to receive this for the
> addressee, you must not use, copy, disclose, or take any action based
> on this message or any information herein. If you have received this
> message in error, please advise the sender immediately by reply e-mail
> and delete this message. Thank you for your cooperation."
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
------------------------------
"You can lead a horse to water but you cannot make it float on its back."
~Dakota Jack~
"You can't wake a person who is pretending to be asleep."
~Native Proverb~
"Each man is good in His sight. It is not necessary for eagles to be crows."
~Hunkesni (Sitting Bull), Hunkpapa Sioux~
-----------------------------------------------
"This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail
and delete this message. Thank you for your cooperation."
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
