struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <ahardy.str...@cyberspaceroad.com>
Subject Re: Checking if user has a valida session
Date Sun, 14 Mar 2004 23:29:33 GMT

Theo
I would check in struts-examples in the struts installation.


Adam

On 03/14/2004 04:03 PM Theodosios Paschalidis wrote:
> Adam thank you for your reply.
> It is most likely Tomcat (4.1.24) that does not refresh (supposedly peaks up
> the updated classes) and I have to delete its temporary working folder every
> time.
> 
> In terms of security, things did work when Tomcat used the latest classes.
> My application is quite small and it is not expected to go beyond
> small/medium. I have already implemented the Action based security and I
> only need JSP security in a couple of "welcome" pages. Since I must be
> finishing this quickly there is no time to look into a security framework.
> The <logic> tag is requirement in my case! Could somebody please provide an
> example of using the <logic> tag, to check for the presence of an attribute
> checking it's boolean property and forwarding to a page?
> Thanks again,
> Theo
> 
> ----- Original Message ----- 
> From: "Adam Hardy" <ahardy.struts@cyberspaceroad.com>
> To: "Struts Users Mailing List" <struts-user@jakarta.apache.org>
> Sent: Sunday, March 14, 2004 10:11 AM
> Subject: Re: Checking if user has a valida session
> 
> 
> 
>>Struts is rock solid - if something's going wrong, you can bet your
>>bottom dollar it's something you've done.
>>
>>Doing it in your jsps is, as someone else said earlier, way too late. If
>>you're not going to use container-managed security, which is sufficient
>>for most needs, then put it in a filter. It's easy, central and
>>maintenance-free. Better than updating all your JSPs.
>>
>>As for tags, I'm not sure about <logic> tags, I use <c> tags in JSTL.
>>
>>Setting form properties in the Action classes is standard practice.
>>
>>Adam
>>
>>
>>On 03/13/2004 11:43 PM Theodosios Paschalidis wrote:
>>
>>>Struts seems to be erratic! It first worked then with no changes it
> 
> didn't!
> 
>>>Something is going terribly wrong with how the server updates the
> 
> classes...
> 
>>>I believe the safest bet is to do it my jsp.
>>>-Could somebody please give an example of using the <logic> tag, to
> 
> check
> 
>>>for the presence of an attribute checking it's boolean property and
>>>forwarding to a page?
>>>-Also is it ok to set a Form property in the Action class?
>>>
>>>Forgive my basic question but I could not get it to work with a boolean
>>>property!
>>>
>>>Thank you for your time,
>>>Theo
>>>
>>>
>>>----- Original Message ----- 
>>>From: "Robert Nocera" <rnocera@neosllc.com>
>>>To: "'Struts Users Mailing List'" <struts-user@jakarta.apache.org>
>>>Sent: Saturday, March 13, 2004 5:34 PM
>>>Subject: RE: Checking if user has a valida session
>>>
>>>
>>>
>>>
>>>>How about this:
>>>>    public boolean isUserAdmin(HttpServletRequest request)
>>>>    {  //Check if the Admin is logged on
>>>>  if (isLogged(request)) {
>>>>        HttpSession session = request.getSession();
>>>>        LogonForm user = (LogonForm)
>>>>session.getAttribute(Constants.USER_KEY);
>>>>        return (user.isAdmin());
>>>>  } else {
>>>>  return false;
>>>>    }
>>>>
>>>>-----Original Message-----
>>>>From: Theodosios Paschalidis [mailto:theopa7@hotmail.com]
>>>>Sent: Saturday, March 13, 2004 11:42 AM
>>>>To: Struts Users Mailing List
>>>>Subject: Re: Checking if user has a valida session
>>>>
>>>>Hi all,
>>>>
>>>>I was just trying to figure out how to do that. (newbie) I have an app
>>>
>>>that
>>>
>>>
>>>>has some pages available for all, some for logged in users and some for
>>>>administrators.
>>>>
>>>>I prevent access to logged-only pages by a tags that hide the relevant
>>>>functionality.
>>>>I have now written an abstract BaseAction with 3 methods:
> 
> isSessionValid,
> 
>>>>isLogged and isUserAdmin in order to implement Action based security.
>>>>
>>>>My problem is that I can still go to my ".do" or ".jsp" pages directly
> 
> by
> 
>>>>typing in the URL. If I try to submit something instead of being
> 
> forwarded
> 
>>>>to, say, LogOff, I get this error
>>>>java.lang.NullPointerException
>>>>at app.AbstActionBase.isUserAdmin(Unknown Source)
>>>>at app.InsertItemAction.execute(Unknown Source)
>>>>
>>>>since my code checks based on a request that is not there! Any way to
>>>>prevent this?
>>>>Thank you for your time,
>>>>Theo
>>>>
>>>>
>>>>public boolean isSessionValid(HttpServletRequest request)
>>>>    {
>>>>     if (request == null) return (false);
>>>>     HttpSession session = request.getSession();
>>>>     if (session == null) return(false);
>>>>           return true;
>>>>   }
>>>>
>>>>    public boolean isLogged(HttpServletRequest request)
>>>>    {
>>>>        // Checked for a currently logged on user
>>>>        HttpSession session = request.getSession();
>>>>LogonForm user = (LogonForm) session.getAttribute(Constants.USER_KEY);
>>>>return ((user == null) ? false : true);
>>>>    }
>>>>
>>>>    public boolean isUserAdmin(HttpServletRequest request)
>>>>    {  //Check if the Admin is logged on
>>>>        HttpSession session = request.getSession();
>>>>        LogonForm user = (LogonForm)
>>>>session.getAttribute(Constants.USER_KEY);
>>>>        return (user.isAdmin());
>>>>    }
>>>>
>>>>----- Original Message ----- 
>>>>From: <Shahak.Nagiel@ngc.com>
>>>>To: <struts-user@jakarta.apache.org>
>>>>Sent: Friday, March 12, 2004 8:50 PM
>>>>Subject: RE: Checking if user has a valida session
>>>>
>>>>
>>>>There are different ways of implementing a secure site, and many
> 
> variables
> 
>>>>involved.
>>>>
>>>>When you say you want to see if the session is "valid," are you talking
>>>>about name/password authentication, or some other session attribute?
>>>>
>>>>If the former, you can implement a standard J2EE security model in the
> 
> web
> 
>>>>app deployment descriptor (web.xml), specifying which user roles can
>>>
>>>access
>>>
>>>
>>>>which pages (such "*.do"), and exempting specified other resources (e.g.
>>>>"login.do").  This will automatically prevent users from accessing pages
>>>>without being authenticated first, and also enable you to configure
>>>
>>>session
>>>
>>>
>>>>timeouts easily.  It's also an easy, central, and standard method of
>>>>configuring security, and fits in neatly with the roles-based
>>>
>>>configuration
>>>
>>>
>>>>in the Struts config file.  Your options would work as well, but
> 
> wouldn't
> 
>>>be
>>>
>>>
>>>>very flexible or easy to manage, especially if you expect the
> 
> application
> 
>>>to
>>>
>>>
>>>>get big.
>>>>
>>>>
>>>>
>>>>-----Original Message-----
>>>>From: Joao Batistella [mailto:joao-p-batistella@ptinovacao.pt]
>>>>Sent: Friday, March 12, 2004 2:55 PM
>>>>To: 'Struts Users Mailing List'
>>>>Subject: Checking if user has a valida session
>>>>
>>>>
>>>>Hello.
>>>>
>>>>I have to check in my application if the user has a valid session in
>>>>every
>>>>page and, if not, redirect him to the login page.
>>>>What is the best way of doing this?
>>>>
>>>>I see 3 options:
>>>>
>>>>1. Put an include or tag in every page that checks this
>>>>2. Check this in my struts action
>>>>3. Use a servlet filtering to filter all .jsp or .do requests
>>>>
>>>>I'm thinking about adopting solution number 3. Is it the best aproach?
>>>>
>>>>Thanks,
>>>>JP
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>>>
>>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>>
>>>
>>
>>
>>-- 
>>struts 1.1 + tomcat 5.0.16 + java 1.4.2
>>Linux 2.4.20 Debian
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
> 
> 


-- 
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message