Gunther,
Is there a reason you didn't do this using a servlet filter instead of a custom request processor? IMO, servlet filters are less intrusive, support filtering for JSPs and static pages as well as Struts actions, and its easier to selectively apply them using URL patterns.
Also, I noticed that overrode the "process" method calling super.process() at the end. I think it would have been better to override processPreprocess() -- that's what its designed for.
-Bill Siggelkow
On 2005-03-02 09:52:49 -0500, =?iso-8859-1?Q?G=FCnther_Wieser?= <[EMAIL PROTECTED]> said:
hi scott,
well, i'll try my best. here's the code from the execute method of MyRequestProcessor (that's the one included in the struts-config.xml):
public class MyRequestProcessor extends TilesRequestProcessor {
public void process(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { HttpSession session = req.getSession(); String path = super.processPath(req, res); String url = req.getRequestURL().toString(); String queryString = req.getQueryString(); // the next lines are there to allow deep linking // we store the url that has been requested for future use if ((queryString!=null) && (!"".equals(queryString))) { url = url + "?" + queryString; } if (session.getAttribute(Constants.SESSION_LOGIN_REFER_KEY) == null) { if (url != null) { session.setAttribute(Constants.SESSION_LOGIN_REFER_KEY, url); } else { //TODO: get main URL from property session.setAttribute(Constants.SESSION_LOGIN_REFER_KEY, "http://localhost:8080/WebCreator/index.do";); } } // no comes the important stuff if (!checkForRealm(session)) { if (!"/login".equals(path)) { super.doForward("/login.do", req, res); } } super.process(req, res); }
protected boolean checkForRealm(HttpSession session) throws ServletException, IOException { if (session.getAttribute(Constants.SESSION_USER_KEY) != null ) { return true; } else { return false; } } }
so what it does is: - get the current requested url for further reference and stores it in the session if an atrribute with the same key does not exist (see "deep linking" below") - then it checks the session for the realm (that is the attribute that you use to say "the user is logged in") - if it does not exist and if the request didn't go to /login.do, it forwards the request to the action /login.do (which is a simple html with username/password field) - if it exists it redirects to the super class to process the request as usual - you need to implement the checkRealm() method with whatever you need to check, my example is really simple but very common
with extending TileRequestProcessor (don't care that i extend TilesRequestProcessor, you can extend the standard request processor the same way) and adding the lines in struts-config.xml, each request that hits the struts action servlet will go through MyRequestProcessor BEFORE the typical struts tasks (action, form beans filling, etc) start. so this is the right place to check security, authorization and authentication.
regarding "deep linking": i want my customers to be able to store a bookmark that points deep into the system. when they request this bookmark, they of course need to login first. so i store the requested url in the session, and if the login is successfull, i send a redirect to the browser to disply the page the user requested with his bookmark. this is done by sending a meta refresh command in the head of the resulting "login ok" page, with the url containing the session attribute that has been store with "session.setAttribute(Constants.SESSION_LOGIN_REFER_KEY, url)"
hope that helps, feel free to ask more if something is unclear.
kr, guenther
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
