Re: session.invaludate(); not working in LogoffAction

Mon, 07 Mar 2005 13:57:15 -0800 

Graig will blame for not using Filters (they would do the job too), but I'd
say "yes":

Create a "BaseAction", all your actions are extending from, with:

        public ActionForward execute(
                ActionMapping mapping,
                ActionForm bean,
                HttpServletRequest req,
                HttpServletResponse res)
                throws Exception {
                
                
                if (isAuthorizationRequired()){
                        boolean authorized = checkAuthorization(req);
                        if (!authorized){
                                String redUrl =
req.getContextPath()+"your_login_action_path";
                                res.sendRedirect(redUrl);
                                return null;

                        }
                }
                ActionForward forward = doExecute(mapping, bean, req, res);
                return forward;
        }

        protected abstract boolean isAuthorizationRequired();

        
        public abstract ActionForward doExecute(
                ActionMapping mapping,
                ActionForm af,
                HttpServletRequest req,
                HttpServletResponse res)
                throws Exception; 

Now in actions you want to protect overwrite authorizationRequired returning
true.
And implement the checkAuthorization method, a good strategy is to put
something in the session on login, and
check if it's there (userId for example fits perfectly), on logout simply
remove this attribute again.

I would also recommend to provide overwritteable init/deInit actions and
common error handling.

Implement your code in doExecute.

You may make execute final, but sometimes you will want to overwrite this as
well.

Regards
Leon


> -----Urspr�ngliche Nachricht-----
> Von: David Johnson [mailto:[EMAIL PROTECTED] 
> Gesendet: Montag, 7. M�rz 2005 22:44
> An: Struts Users Mailing List
> Betreff: session.invaludate(); not working in LogoffAction
> 
> hi all
> 
>  have a logoff action, and inside it I do the following.
> 
> // Clean up the session if there is one
> HttpSession session = request.getSession(); session.invalidate();
> 
> When I watch what's happening in the manager application (I'm using
> Tomcat) the number of sessions does not decrease, and I can 
> back up in the browser and call actions, all of which have 
> code to check for a valid session..
> 
> This raises a question.. what's the best way in my web-app to 
> make sure the user is valid? should I check in **every** action?
> 
> --
> -Dave
> [EMAIL PROTECTED]
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to