struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David G. Friedman" <>
Subject RE: Session Strategy
Date Thu, 20 Jan 2005 03:48:52 GMT
I'll suggest option #3:

Hide all JSP's under /WEB-INF/pages (or something like that) so you need
actions (or ForwardActions) to internally get to the JSP pages.  Then, you
can modify the RequestProcessor.processRoles() method to perform your
security check for the session scope's userID object or redirect to a login
page if no such object (or no session) exists.  I've done this myself once
or twice. :)


-----Original Message-----
From: Jim Douglas []
Sent: Wednesday, January 19, 2005 10:40 PM
Subject: Session Strategy

To all,

  I have a web application that sets a session attribute with userID and a
timeout in the config file that times out after 5 minutes in case the user
walks away.

I am trying to figure out the best strategy to deal with cases where the
user comes back after 5 minutes and clicks on a button anywhere in the app
that requires that attribute that just expitred to have a valid value.

Should I,

1> Put code like this in the JSP,

<c:if test="${sessionScope.userID eq 'null'}">
  forward to login page....

2> Or should I just put all the code in the class files, something like

         Integer userID =
         if (userID==null){
             return mapping.findForward("failure");

3> ?? I'm open to suggestions!


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message