From struts-user-return-83319-qmlist-jakarta-archive-struts-user=nagoya.apache.org@jakarta.apache.org Wed Jun 25 11:33:33 2003 Return-Path: Delivered-To: apmail-jakarta-struts-user-archive@apache.org Received: (qmail 67210 invoked from network); 25 Jun 2003 11:33:32 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 25 Jun 2003 11:33:32 -0000 Received: (qmail 11259 invoked by uid 97); 25 Jun 2003 11:35:52 -0000 Delivered-To: qmlist-jakarta-archive-struts-user@nagoya.betaversion.org Received: (qmail 11251 invoked from network); 25 Jun 2003 11:35:52 -0000 Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12) by nagoya.betaversion.org with SMTP; 25 Jun 2003 11:35:52 -0000 Received: (qmail 65264 invoked by uid 500); 25 Jun 2003 11:33:07 -0000 Mailing-List: contact struts-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list struts-user@jakarta.apache.org Received: (qmail 65247 invoked from network); 25 Jun 2003 11:33:07 -0000 Received: from dewberry.cc.columbia.edu (128.59.59.68) by daedalus.apache.org with SMTP; 25 Jun 2003 11:33:07 -0000 Received: from TOMPICSEK (dynamic182-193.law.columbia.edu [128.59.182.193]) (user=as851 mech=LOGIN bits=0) by dewberry.cc.columbia.edu (8.12.8p1/8.12.8) with ESMTP id h5PBX4sX002100 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for ; Wed, 25 Jun 2003 07:33:07 -0400 (EDT) Reply-To: From: "Alex Shneyderman" To: "'Struts Users Mailing List'" Subject: RE: Looking for ideas for action servlet checking for logged in user. Date: Wed, 25 Jun 2003 07:33:04 -0400 Organization: CLS Message-ID: <000601c33b0d$8ce35c30$d15efea9@law.columbia.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: X-No-Spam-Score: Local X-Scanned-By: MIMEDefang 2.32 (www . roaringpenguin . com / mimedefang) X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N > I have a webapp which have several pages which require the user to be > logged in(have a httpSession with a "usercontainer" object stored) , and a > few pages that doesn't require a log in(the log-in page, references, > indexes...). All pages are fronted by actions. > My current solution is to check for valid login in every action class that > needs to protect its invocation. That seems tedious. I though about > extending the action servlet to do it, but then it would check for all > requests. > And I do want to distinguish between if the user is > authorized(isUSerInRole) and if he/she is even logged in, so I can't use > the role parameter in the action element. > > My next idea is extending the action servlet pluss adding parameters that > can go into the action element in the struts-config.xml file. > (some thing like usersession="true"> ) > This would require my action servlet to know about my userContainer stored > in the httpsession. Pluss modifying the struts-config file. > I haven't looked into how hard this is, figure I'd ask someone who's run > into this before. > > Any other good approaches, or should I just stick with what I got?(check > individually in every action) You do not have to check inidividually every action, I think. The way I do my authentication/authorization is thru extending Action so I have something like: public abstract ProtectedAction extends Action { protected authorize (...) { } public final ActionForward execute (...) { authorize (...); return pExecute (...); } public abstract pExecute (...) .... ; } now extend all your protected actions from ProtectedAction and all the non protected actions from the struts' acction. This gives you total flexibility. If there are non trivial actions that do not fall under your regular logic of authorize method you just override it for that particular Action. I am not sure if this is a good approach but seems to work for my application. It probably will not integrate really well with other parts and plugins, for example tiles. Since in tiles you can disable a whole tile based on role the user has. But from what I understand, you would need container managed user/role management. --------------------------------------------------------------------- To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: struts-user-help@jakarta.apache.org