struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick>
Subject Re: Webapp Security?
Date Mon, 07 Jul 2003 04:47:20 GMT
On Thu, 2003-07-03 at 16:42, Craig R. McClanahan wrote:
> Why are you trying to mess with the container's implementation of
> authentication at all?  Why not just write a Filter that does an
> RD.forward() to some safe place if it sees that the session does not
> contain the right stuff (because it was timed out and recreated)?
> Remember, a filter is *not* required to call chain.doFilter() to pass the
> request on -- it can forward wherever it wants and then return, and this
> is portable to any Servlet 2.3 container.
> Filters are your friend :-).

Well, here's the deal... Basically there are are too many things that
rely on certain objects being in Session scope for this application so I
don't want to have to test every type of action url. So what I did was
write a Servlet Filter that also is called from the urr pattern /*

the relevant filter method looks like :

if (  httpRequest.getUserPrincipal() != null &&
session.getAttribute("userBean") == null ) {
    RequestDispatcher rd = request.getRequestDispatcher(mainPage);
    rd.forward(request, response );
else {
     chain.doFilter(request, response);

The above seems to work fine- forcing the forward to the mainPage (which
in my case is an index page that then forwards to an Action that sets up
appropriate Session information). 

Throughout the course of the application there are other session objects
(mainly some Lists for reporting that are put in Session scope) so
rather than test for everything and have to figure out what page/action
to bring the user to in oder to make things are set up correctly, I just
want them all back some initial page.

The part I don't like is every request now has to hit both the security
filter and this other filter. Would it maybe be better to maybe just do
this type of check in my base action execute method? (check for the
userBean being null there and if null forward to the appropriate



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message