We have a similar system of application security. What we do is create session 
scoped user object in our spring application.xml, then use a servlet filter to 
see if the user is there. The servlet filter redirects to login.action if the 
user is attempting to access a protected resource. Here are some snippets...

Application.xml

    <bean id="user" class="com.company.entities.User" scope="session" />

User.java
 ..
  Just a standard user kind of thing.. username, password, first, last, etc. 

Login.java (mapped to /login.action)
  /**
   * Check the passed in username and password. If a user exists then forward
   * based on role, otherwise forward to the error (login) page.
   */
  public String executeAction() throws Exception {
    if ((this.getUser() == null || this.getUser().getUsername() == null) && 
(userName != null && userName.trim().length() > 0 && password != null && 
password.trim().length() > 0)) {
      User u = loginFacade.login(this.userName, this.password);
      if (u != null && u.getEnabled()) {
        this.getUser().setEnabled(u.getEnabled());
        this.getUser().setEmail(u.getEmail());
        this.getUser().setExternallyDefined(u.getExternallyDefined());
        this.getUser().setFullName(u.getFullName());
        this.getUser().setId(u.getId());
        this.getUser().setPassword(u.getPassword());
        this.getUser().setUsername(u.getUsername());
        this.getUser().setRoles(u.getRoles());
      }
      else {
        // If we haven't found you then you are not a user.
        return ERROR;
      }
    }
    .. we do our role based stuff here...
}

The important thing to note is that we populate the user instead of trying to 
do a session.setAttribute...

UserAwareBaseAction.java - All actions extend this so they have access to the 
user. In our case we only have a couple pages that are not protected and don't 
need to extend this. In general we still extend it so that executeAction() 
becomes the method to implement instead of execute().
    
public abstract class UserAwareBaseAction extends ActionSupport {

  private User     user;
  protected String SUCCESS = "success";
  protected String FAILURE = "failure";
  protected String ERROR   = "error";

  public User getUser() {
    return user;
  }

  public void setUser(User user) {
    this.user = user;
  }

  /**
   * 
   * Delegate to executeAction since this is an abstract class.
   * 
   */
  public String execute() throws Exception {
    // if(getUser() == null || getUser().getUsername() == null) {
    // return "loginPage";
    // }
    return executeAction();
  }

  public abstract String executeAction() throws Exception;
}

ServletFilter...

  public void doFilter(ServletRequest request, ServletResponse response, 
FilterChain chain) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    User user = (User) req.getSession(true).getAttribute("user");
    String uri = req.getRequestURI();
    if (isProtectedUri(uri) && (user == null || user.getUserName() == null)) {
      ((HttpServletResponse) response).sendRedirect("login.action");
    }
    else {
      chain.doFilter(request, response);
    }
  }

  public void doFilter(ServletRequest request, ServletResponse response, 
FilterChain chain) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    User user = (User) req.getSession(true).getAttribute("user");
    String uri = req.getRequestURI();
    if (isProtectedUri(uri) && user == null) {
      ((HttpServletResponse) response).sendRedirect("login.action");
    }
    else {
      chain.doFilter(request, response);
    }
  }

/**
 * We could do this differently but since we only have a couple of pages
 *  unprotected it is just as easy to do it with the if. Really this should 
 *  query a db, or properties file or the like to get unprotected resources.
 *
 */
  private boolean isProtectedUri(String uri) {
    if (uri.contains(".css") || uri.contains(".js") || 
uri.contains("login.action") || ... ) {
      return false;
    }
    return true;
  }
}

Logout.java - this is how we log someone out 
public class LogoutAction extends UserAwareBaseAction {

  /**
   * Since user is a session variable simply clear out the pertinent info and
   * the filter will force a new login.
   */
  public String executeAction() throws Exception {
    try {
      this.getUser().setUsername(null);
    }
    catch (Exception e) {
      return ERROR;
    }
    return SUCCESS;
  }
}

Only thing to note is that we set the username to null - we can't remove the 
user from the session since it is a spring session scoped bean. Setting the 
username to null makes sure the next request for a protected page fails. 


HTH

Allen Fogleson 

-----Original Message-----
From: shekher awasthi [mailto:shekher.awas...@gmail.com] 
Sent: Monday, December 15, 2008 3:55 AM
To: Struts Users Mailing List
Subject: Application based Security

Hi All,

We are developing an application based on Struts2 framework. We are on way
to develop application based security so that the unauthorized user can not
access the secure area,it needs the request to be from the authorized
person.We can have the Below mentioed approach

1) For Secure area the user must be logged in to the ysystem and have
authorization for accessing that
2) For every request coming to the secured region, we need to put the check
if the user is a valid one or not.

We cab think of the functionality which checks for the icoming request for
its authentication and permits only authenticated request.

I need your suggestion about the approach we can follow in struts2 so that
we can achieve the above mentioed points and also maintenance and enterprise
integration will be area of concern.

IF any one have worked or working on similar area pleaes share his/her view
how to achieve that here in struts2

Thanks in advance
shekher

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Reply via email to