struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Adams <>
Subject Re: How to create a "No Action" ActionForward
Date Sun, 22 Feb 2004 20:42:45 GMT
I think Srikanth has hit the nail on the head, in that
I am not fully utilizing what is already available
with vanilla J2EE, namely security roles,
authorization constraints, and error pages, all of
which I can declare in the deployment descriptor of my
web app.  But I still want to use a Struts component
for the authentication instead of a more traditional
form-based authentication scheme.

Let me outline below what is, I think, a much better
approach and kindly ask for comments, as I'm not
certain that this will work or if it's actually the
smartest way to go.

I would like to use a Struts Action class to handle my
login form, instead of vanilla form-based
authentication, i.e. "j_security_check", for two
reasons: 1) form-based authentication is not very
secure since it passes the user name and password
across the network in clear text, and 2) I want to use
a LDAP server (within my login Action class) to do the
authentication, and this would not be possible using
plain form-based authentication.

So the plan is to have a form in my Login.jsp with the
form's action being the login Action class.  The login
Action class will connect to the LDAP server and try
to authenticate using the username and password
supplied as form inputs.  If the authentication
succeeds then the user's session is set with the
user's role (also retrieved from the LDAP server), and
then the control is forwarded to the first "logged in"
welcome page.  If the authentication fails then the
appropriate error message ("Login failed - try again")
will be added to the ActionErrors and control is
forwarded back to the login page, which will display
the ActionError message via a <html:errors> tag, and
allow the user to try again.

In order to accomplish session authorization of a
session for each *.jsp of the application I will
declare a security constraint in the web.xml, like so:

            Restricted Pages

With the above I will get automatic checking of the
user's role by the container at each access of any
*.jsp, and anyone accessing a *.jsp without an
appropriate role set in their session will not be
allowed to access the page.  If the user is not in the
appropriate role then I can forward to an error page
by declaring an <error-page> in the deployment

The above authorization strategy takes care of what I
was trying to accomplish with my SessionValidator
Action class idea from before, which was to check for
a "loggedIn" session attribute before allowing a user
to continue with page processing.  In fact it is even
better, in that it allows the flexibility of allowing
different roles and authorization of pages based on
roles and not just on a single "loggedIn" flag.  

I am not sure how I will programmatically set the
user's role in the login Action class execute()
method.  Is it as simple as just setting a session
attribute named "role" ?

Thanks in advance for your insight.


Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message