struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Frank W. Zammetti" <fzli...@omnytex.com>
Subject Re: Session Strategy
Date Thu, 20 Jan 2005 04:26:39 GMT
If the user clicks a button, you are either going to (a) go directly to 
a JSP, which is generally not a good idea in a Struts-based application 
anyway (or any servlet-based application for that matter) or (b) go to 
an Action, as you probably should be doing.  In either case, choice 1 is 
what I would do personally.  Putting things under WEB-INF as David 
suggests works great, but it just feels kind of wrong to me.

You'll also want to call some common code from all your Actions that 
does the same basic check and forwards immediately to your "logon again" 
page.  I do this by means of an ActionHelpers class that has two static 
methods, start() and finish() that are called, as I'm sure you could 
guess, at the start and end of all my Actions.  They do some common 
tasks, including this check.

If you want a real solution though, externalize your security using 
something like Netegrity Siteminder.  It will deal with this situation 
for you, in a theoretically more secure fashion than you could probably 
do on your own.

Yet another idea is a filter that will check if a session is alive and 
redirect as appropriate.  This I believe can work no matter what your 
request is to (Action or JSP directly), or any other resource, assuming 
the app server serves everything.

-- 
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com

David G. Friedman wrote:
> I'll suggest option #3:
> 
> Hide all JSP's under /WEB-INF/pages (or something like that) so you need
> actions (or ForwardActions) to internally get to the JSP pages.  Then, you
> can modify the RequestProcessor.processRoles() method to perform your
> security check for the session scope's userID object or redirect to a login
> page if no such object (or no session) exists.  I've done this myself once
> or twice. :)
> 
> Regards,
> David
> 
> -----Original Message-----
> From: Jim Douglas [mailto:jdz99@hotmail.com]
> Sent: Wednesday, January 19, 2005 10:40 PM
> To: user@struts.apache.org
> Subject: Session Strategy
> 
> 
> To all,
> 
>   I have a web application that sets a session attribute with userID and a
> timeout in the config file that times out after 5 minutes in case the user
> walks away.
> 
> I am trying to figure out the best strategy to deal with cases where the
> user comes back after 5 minutes and clicks on a button anywhere in the app
> that requires that attribute that just expitred to have a valid value.
> 
> Should I,
> 
> 
> 1> Put code like this in the JSP,
> 
> <c:if test="${sessionScope.userID eq 'null'}">
>   forward to login page....
> </c:if>
> 
> 
> 2> Or should I just put all the code in the class files, something like
> this,
> 
>          Integer userID =
> (Integer)request.getSession().getAttribute("userID");
>          if (userID==null){
>              return mapping.findForward("failure");
>          }
> 
> Or
> 3> ?? I'm open to suggestions!
> 
> 
> Thanks,
> Jim
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> 
> 
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message