struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: Checking if user has a valida session
Date Sun, 14 Mar 2004 10:11:26 GMT
Struts is rock solid - if something's going wrong, you can bet your 
bottom dollar it's something you've done.

Doing it in your jsps is, as someone else said earlier, way too late. If 
you're not going to use container-managed security, which is sufficient 
for most needs, then put it in a filter. It's easy, central and 
maintenance-free. Better than updating all your JSPs.

As for tags, I'm not sure about <logic> tags, I use <c> tags in JSTL.

Setting form properties in the Action classes is standard practice.

Adam


On 03/13/2004 11:43 PM Theodosios Paschalidis wrote:
> Struts seems to be erratic! It first worked then with no changes it didn't!
> Something is going terribly wrong with how the server updates the classes...
> 
> I believe the safest bet is to do it my jsp.
> -Could somebody please give an example of using the <logic> tag, to check
> for the presence of an attribute checking it's boolean property and
> forwarding to a page?
> -Also is it ok to set a Form property in the Action class?
> 
> Forgive my basic question but I could not get it to work with a boolean
> property!
> 
> Thank you for your time,
> Theo
> 
> 
> ----- Original Message ----- 
> From: "Robert Nocera" <rnocera@neosllc.com>
> To: "'Struts Users Mailing List'" <struts-user@jakarta.apache.org>
> Sent: Saturday, March 13, 2004 5:34 PM
> Subject: RE: Checking if user has a valida session
> 
> 
> 
>>How about this:
>>     public boolean isUserAdmin(HttpServletRequest request)
>>     {  //Check if the Admin is logged on
>>   if (isLogged(request)) {
>>         HttpSession session = request.getSession();
>>         LogonForm user = (LogonForm)
>>session.getAttribute(Constants.USER_KEY);
>>         return (user.isAdmin());
>>   } else {
>>   return false;
>>     }
>>
>>-----Original Message-----
>>From: Theodosios Paschalidis [mailto:theopa7@hotmail.com]
>>Sent: Saturday, March 13, 2004 11:42 AM
>>To: Struts Users Mailing List
>>Subject: Re: Checking if user has a valida session
>>
>>Hi all,
>>
>>I was just trying to figure out how to do that. (newbie) I have an app
> 
> that
> 
>>has some pages available for all, some for logged in users and some for
>>administrators.
>>
>>I prevent access to logged-only pages by a tags that hide the relevant
>>functionality.
>>I have now written an abstract BaseAction with 3 methods: isSessionValid,
>>isLogged and isUserAdmin in order to implement Action based security.
>>
>>My problem is that I can still go to my ".do" or ".jsp" pages directly by
>>typing in the URL. If I try to submit something instead of being forwarded
>>to, say, LogOff, I get this error
>> java.lang.NullPointerException
>>at app.AbstActionBase.isUserAdmin(Unknown Source)
>>at app.InsertItemAction.execute(Unknown Source)
>>
>>since my code checks based on a request that is not there! Any way to
>>prevent this?
>>Thank you for your time,
>>Theo
>>
>>
>> public boolean isSessionValid(HttpServletRequest request)
>>     {
>>      if (request == null) return (false);
>>      HttpSession session = request.getSession();
>>      if (session == null) return(false);
>>            return true;
>>    }
>>
>>     public boolean isLogged(HttpServletRequest request)
>>     {
>>         // Checked for a currently logged on user
>>         HttpSession session = request.getSession();
>> LogonForm user = (LogonForm) session.getAttribute(Constants.USER_KEY);
>> return ((user == null) ? false : true);
>>     }
>>
>>     public boolean isUserAdmin(HttpServletRequest request)
>>     {  //Check if the Admin is logged on
>>         HttpSession session = request.getSession();
>>         LogonForm user = (LogonForm)
>>session.getAttribute(Constants.USER_KEY);
>>         return (user.isAdmin());
>>     }
>>
>>----- Original Message ----- 
>>From: <Shahak.Nagiel@ngc.com>
>>To: <struts-user@jakarta.apache.org>
>>Sent: Friday, March 12, 2004 8:50 PM
>>Subject: RE: Checking if user has a valida session
>>
>>
>>There are different ways of implementing a secure site, and many variables
>>involved.
>>
>>When you say you want to see if the session is "valid," are you talking
>>about name/password authentication, or some other session attribute?
>>
>>If the former, you can implement a standard J2EE security model in the web
>>app deployment descriptor (web.xml), specifying which user roles can
> 
> access
> 
>>which pages (such "*.do"), and exempting specified other resources (e.g.
>>"login.do").  This will automatically prevent users from accessing pages
>>without being authenticated first, and also enable you to configure
> 
> session
> 
>>timeouts easily.  It's also an easy, central, and standard method of
>>configuring security, and fits in neatly with the roles-based
> 
> configuration
> 
>>in the Struts config file.  Your options would work as well, but wouldn't
> 
> be
> 
>>very flexible or easy to manage, especially if you expect the application
> 
> to
> 
>>get big.
>>
>>
>>
>>-----Original Message-----
>>From: Joao Batistella [mailto:joao-p-batistella@ptinovacao.pt]
>>Sent: Friday, March 12, 2004 2:55 PM
>>To: 'Struts Users Mailing List'
>>Subject: Checking if user has a valida session
>>
>>
>>Hello.
>>
>>I have to check in my application if the user has a valid session in
>>every
>>page and, if not, redirect him to the login page.
>>What is the best way of doing this?
>>
>>I see 3 options:
>>
>>1. Put an include or tag in every page that checks this
>>2. Check this in my struts action
>>3. Use a servlet filtering to filter all .jsp or .do requests
>>
>>I'm thinking about adopting solution number 3. Is it the best aproach?
>>
>>Thanks,
>>JP
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
> 
> 


-- 
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message