RE: How to create a "No Action" ActionForward
I have a LoginAction which calls my class UserAuthorisation which implements Authorise. Heres what I do within LoginAction: auth = new UserAuthorisation(username,password); if (auth.authenticate()) { //save Subject in session Subject user = auth.getSubject(); logger.debug("AUTHENTICATED USER"); HttpSession session = request.getSession(); session.setAttribute(BNOnlineConstants.USER_SUBJECT,user); return mapping.findForward("success"); These tutorials helped a lot: http://www.mooreds.com/jaas.html http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnAndAzn.html -Original Message- From: Carl [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 February 2004 5:21 PM To: Struts Users Mailing List Subject: Re: How to create a "No Action" ActionForward Same question : JAAS, how did you get hold of the user's session? It's the last think I can't do. Carl Adam Hardy wrote: > Jackie, auth-constraint lists the roles that are allowed access. If you > have no roles, that means you need just one role for all. And you must > enter it there. Having no roles listed means no-one has permission. Or > you could try "*" for all roles (haven't tried it myself). > > Re: JAAS, how did you get hold of the user's session? I don't see any > way of obtaining access to it from the LoginModule. > > Adam > > On 02/24/2004 02:00 AM Jacqueline Gomes wrote: > >> That sounds like a good idea! However, I don't have any 'roles', >> they are just users that need to authenticate, and I wanted to secure >> /do/admin/*. I couldn't implement the web.xml security either >> - this didn't work: >> >> >> BN_ONLINE Administration >> Security constraint for resources in the admin >> directory /do/admin/* >> POST GET >> >> >> Can you please send me any links to OSUser API - I've not heard of >> it. >> >> -Original Message- From: Nick Faiz >> [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 February 2004 8:53 AM >> To: 'Struts Users Mailing List' Subject: RE: How to create a "No >> Action" ActionForward >> >> >> Guys, I'm at this point, myself, with an application sitting on the >> back-burner. I've thought about an approach, which is slightly >> different to yours. >> >> I agree that declarative security in J2EE, for Servlets and JSP.s, >> does not really seem to go far enough, at first glance. >> >> On the other hand, it has considerable benefits (the mappings of >> roles, relying upon app. server controlled ACLs, etc.). >> >> Why not allow declarative security to do its work, then build the user >> information in the session, based upon whether or not the user >> is in the correct role, etc.? This is what I plan to do - I'm using >> the OSUser API. I'll build its information, partly, by querying roles >> using the request, and relying upon WebLogic's internal LDAP server. >> >> >> Declarative security is passive; it actively doesn't `do' stuff but >> only waits for someone to pass through something it secures. Users >> make requests to post, which can be mapped to an Action class. I >> don't see how they are at odds. >> >> Nick Faiz. >> >> >> >> -Original Message- From: Jacqueline Gomes >> [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 February 2004 11:38 >> AM To: Struts Users Mailing List Subject: RE: How to create a "No >> Action" ActionForward >> >> Neither can I. There was no way with j_security_check that I could >> post to an Action class. So I implemented JAAS and in the module I >> interact with a Domain Facade that does the check with the database >> for a valid user. I then construct a User object and put that in the >> session. Each of my jsp's has a check (done using an include) for the >> user object and if it does not exist then it redirects to the login >> page. >> >> If anyone wants any code, let me know!! >> >> Jackie. >> >> -Original Message- From: Carl [mailto:[EMAIL PROTECTED] >> Sent: Monday, 23 February 2004 5:01 PM To: Struts Users Mailing List >> Subject: Re: How to create a "No Action" ActionForward >> >> >> By integarting with struts, I mean to have a loginAction witch fill >> the session with data about the logged user. >> >> I can't see how to
Re: How to create a "No Action" ActionForward
Same question : JAAS, how did you get hold of the user's session? It's the last think I can't do. Carl Adam Hardy wrote: Jackie, auth-constraint lists the roles that are allowed access. If you have no roles, that means you need just one role for all. And you must enter it there. Having no roles listed means no-one has permission. Or you could try "*" for all roles (haven't tried it myself). Re: JAAS, how did you get hold of the user's session? I don't see any way of obtaining access to it from the LoginModule. Adam On 02/24/2004 02:00 AM Jacqueline Gomes wrote: That sounds like a good idea! However, I don't have any 'roles', they are just users that need to authenticate, and I wanted to secure /do/admin/*. I couldn't implement the web.xml security either - this didn't work: BN_ONLINE Administration Security constraint for resources in the admin directory /do/admin/* POST GET Can you please send me any links to OSUser API - I've not heard of it. -Original Message- From: Nick Faiz [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 February 2004 8:53 AM To: 'Struts Users Mailing List' Subject: RE: How to create a "No Action" ActionForward Guys, I'm at this point, myself, with an application sitting on the back-burner. I've thought about an approach, which is slightly different to yours. I agree that declarative security in J2EE, for Servlets and JSP.s, does not really seem to go far enough, at first glance. On the other hand, it has considerable benefits (the mappings of roles, relying upon app. server controlled ACLs, etc.). Why not allow declarative security to do its work, then build the user information in the session, based upon whether or not the user is in the correct role, etc.? This is what I plan to do - I'm using the OSUser API. I'll build its information, partly, by querying roles using the request, and relying upon WebLogic's internal LDAP server. Declarative security is passive; it actively doesn't `do' stuff but only waits for someone to pass through something it secures. Users make requests to post, which can be mapped to an Action class. I don't see how they are at odds. Nick Faiz. -Original Message- From: Jacqueline Gomes [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 February 2004 11:38 AM To: Struts Users Mailing List Subject: RE: How to create a "No Action" ActionForward Neither can I. There was no way with j_security_check that I could post to an Action class. So I implemented JAAS and in the module I interact with a Domain Facade that does the check with the database for a valid user. I then construct a User object and put that in the session. Each of my jsp's has a check (done using an include) for the user object and if it does not exist then it redirects to the login page. If anyone wants any code, let me know!! Jackie. -----Original Message----- From: Carl [mailto:[EMAIL PROTECTED] Sent: Monday, 23 February 2004 5:01 PM To: Struts Users Mailing List Subject: Re: How to create a "No Action" ActionForward By integarting with struts, I mean to have a loginAction witch fill the session with data about the logged user. I can't see how to manage that with classic j_security_check. regards, Carl Adam Hardy wrote: Not having any roles effectively means from the container managed security point of view that you have only one role. What problems did you have 'integrating' the container security? As far as your app is concerned, j_security_check is not something that is relevant. The whole login should be transparent to your app. As long as you map the security constraints correctly, the user will never see a protected page unless they login. Adam On 02/23/2004 08:54 AM Carl wrote: I've faced the same issue too. (using tomcat) To solve it I've found 2 options : - implement a filter witch intercept each request an redirect if needed to the struts login action. It allow a good interaction with struts but no securty by container. - use the container : I do that by adding a CUSTOM login scheme along BASIC & FORM in org.apache.catalina.startup.Authenticators.properties. It's like the filter solution but use roles and the security is managed by the security constrains defined in web.xml. For now my CUSTUM login is similar to the FORM login, so it's not intergrated with struts, but I've planned to modify it soon. This second solution need too to define a Realm in : className="org.apache.catalina.realm.JAASRealm" appName="catalogue" userClassNames="com.asserina.atypone.catalogue.impl.ClientImpl" roleClassNames="com.asserina.atypone.catalogue.Role" /> (I'm using JAAS) To conclude I would say that the second option is far more powerfull and addaptable to specific needs however you have too lo
Re: How to create a "No Action" ActionForward
Jackie, auth-constraint lists the roles that are allowed access. If you have no roles, that means you need just one role for all. And you must enter it there. Having no roles listed means no-one has permission. Or you could try "*" for all roles (haven't tried it myself). Re: JAAS, how did you get hold of the user's session? I don't see any way of obtaining access to it from the LoginModule. Adam On 02/24/2004 02:00 AM Jacqueline Gomes wrote: That sounds like a good idea! However, I don't have any 'roles', they are just users that need to authenticate, and I wanted to secure /do/admin/*. I couldn't implement the web.xml security either - this didn't work: BN_ONLINE Administration Security constraint for resources in the admin directory /do/admin/* POST GET Can you please send me any links to OSUser API - I've not heard of it. -Original Message- From: Nick Faiz [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 February 2004 8:53 AM To: 'Struts Users Mailing List' Subject: RE: How to create a "No Action" ActionForward Guys, I'm at this point, myself, with an application sitting on the back-burner. I've thought about an approach, which is slightly different to yours. I agree that declarative security in J2EE, for Servlets and JSP.s, does not really seem to go far enough, at first glance. On the other hand, it has considerable benefits (the mappings of roles, relying upon app. server controlled ACLs, etc.). Why not allow declarative security to do its work, then build the user information in the session, based upon whether or not the user is in the correct role, etc.? This is what I plan to do - I'm using the OSUser API. I'll build its information, partly, by querying roles using the request, and relying upon WebLogic's internal LDAP server. Declarative security is passive; it actively doesn't `do' stuff but only waits for someone to pass through something it secures. Users make requests to post, which can be mapped to an Action class. I don't see how they are at odds. Nick Faiz. -Original Message- From: Jacqueline Gomes [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 February 2004 11:38 AM To: Struts Users Mailing List Subject: RE: How to create a "No Action" ActionForward Neither can I. There was no way with j_security_check that I could post to an Action class. So I implemented JAAS and in the module I interact with a Domain Facade that does the check with the database for a valid user. I then construct a User object and put that in the session. Each of my jsp's has a check (done using an include) for the user object and if it does not exist then it redirects to the login page. If anyone wants any code, let me know!! Jackie. -Original Message----- From: Carl [mailto:[EMAIL PROTECTED] Sent: Monday, 23 February 2004 5:01 PM To: Struts Users Mailing List Subject: Re: How to create a "No Action" ActionForward By integarting with struts, I mean to have a loginAction witch fill the session with data about the logged user. I can't see how to manage that with classic j_security_check. regards, Carl Adam Hardy wrote: Not having any roles effectively means from the container managed security point of view that you have only one role. What problems did you have 'integrating' the container security? As far as your app is concerned, j_security_check is not something that is relevant. The whole login should be transparent to your app. As long as you map the security constraints correctly, the user will never see a protected page unless they login. Adam On 02/23/2004 08:54 AM Carl wrote: I've faced the same issue too. (using tomcat) To solve it I've found 2 options : - implement a filter witch intercept each request an redirect if needed to the struts login action. It allow a good interaction with struts but no securty by container. - use the container : I do that by adding a CUSTOM login scheme along BASIC & FORM in org.apache.catalina.startup.Authenticators.properties. It's like the filter solution but use roles and the security is managed by the security constrains defined in web.xml. For now my CUSTUM login is similar to the FORM login, so it's not intergrated with struts, but I've planned to modify it soon. This second solution need too to define a Realm in : className="org.apache.catalina.realm.JAASRealm" appName="catalogue" userClassNames="com.asserina.atypone.catalogue.impl.ClientImpl" roleClassNames="com.asserina.atypone.catalogue.Role" /> (I'm using JAAS) To conclude I would say that the second option is far more powerfull and addaptable to specific needs however you have too look close to : JAAS, custom Realm, Authenticators.properties and is tide to your container (for me Tomcat) Let me know if you find qu
RE: How to create a "No Action" ActionForward
That sounds like a good idea! However, I don't have any 'roles', they are just users that need to authenticate, and I wanted to secure /do/admin/*. I couldn't implement the web.xml security either - this didn't work: BN_ONLINE Administration Security constraint for resources in the admin directory /do/admin/* POST GET Can you please send me any links to OSUser API - I've not heard of it. -Original Message- From: Nick Faiz [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 February 2004 8:53 AM To: 'Struts Users Mailing List' Subject: RE: How to create a "No Action" ActionForward Guys, I'm at this point, myself, with an application sitting on the back-burner. I've thought about an approach, which is slightly different to yours. I agree that declarative security in J2EE, for Servlets and JSP.s, does not really seem to go far enough, at first glance. On the other hand, it has considerable benefits (the mappings of roles, relying upon app. server controlled ACLs, etc.). Why not allow declarative security to do its work, then build the user information in the session, based upon whether or not the user is in the correct role, etc.? This is what I plan to do - I'm using the OSUser API. I'll build its information, partly, by querying roles using the request, and relying upon WebLogic's internal LDAP server. Declarative security is passive; it actively doesn't `do' stuff but only waits for someone to pass through something it secures. Users make requests to post, which can be mapped to an Action class. I don't see how they are at odds. Nick Faiz. -Original Message- From: Jacqueline Gomes [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 February 2004 11:38 AM To: Struts Users Mailing List Subject: RE: How to create a "No Action" ActionForward Neither can I. There was no way with j_security_check that I could post to an Action class. So I implemented JAAS and in the module I interact with a Domain Facade that does the check with the database for a valid user. I then construct a User object and put that in the session. Each of my jsp's has a check (done using an include) for the user object and if it does not exist then it redirects to the login page. If anyone wants any code, let me know!! Jackie. -Original Message- From: Carl [mailto:[EMAIL PROTECTED] Sent: Monday, 23 February 2004 5:01 PM To: Struts Users Mailing List Subject: Re: How to create a "No Action" ActionForward By integarting with struts, I mean to have a loginAction witch fill the session with data about the logged user. I can't see how to manage that with classic j_security_check. regards, Carl Adam Hardy wrote: > Not having any roles effectively means from the container managed > security point of view that you have only one role. > > What problems did you have 'integrating' the container security? As far > as your app is concerned, j_security_check is not something that is > relevant. The whole login should be transparent to your app. As long as > you map the security constraints correctly, the user will never see a > protected page unless they login. > > Adam > > On 02/23/2004 08:54 AM Carl wrote: > >> I've faced the same issue too. (using tomcat) >> To solve it I've found 2 options : >> - implement a filter witch intercept each request an redirect if >> needed to the struts login action. It allow a good interaction with >> struts but no securty by container. >> - use the container : I do that by adding a CUSTOM login scheme along >> BASIC & FORM in org.apache.catalina.startup.Authenticators.properties. >> It's like the filter solution but use roles and the security is >> managed by the security constrains defined in web.xml. For now my >> CUSTUM login is similar to the FORM login, so it's not intergrated >> with struts, but I've planned to modify it soon. >> This second solution need too to define a Realm in : >> > appName="catalogue" >> userClassNames="com.asserina.atypone.catalogue.impl.ClientImpl" >> roleClassNames="com.asserina.atypone.catalogue.Role" /> >> >> (I'm using JAAS) >> >> To conclude I would say that the second option is far more powerfull >> and addaptable to specific needs however you have too look close to : >> JAAS, custom Realm, Authenticators.properties and is tide to your >> container (for me Tomcat) >> >> Let me know if you find qui
RE: How to create a "No Action" ActionForward
Guys, I'm at this point, myself, with an application sitting on the back-burner. I've thought about an approach, which is slightly different to yours. I agree that declarative security in J2EE, for Servlets and JSP.s, does not really seem to go far enough, at first glance. On the other hand, it has considerable benefits (the mappings of roles, relying upon app. server controlled ACLs, etc.). Why not allow declarative security to do its work, then build the user information in the session, based upon whether or not the user is in the correct role, etc.? This is what I plan to do - I'm using the OSUser API. I'll build its information, partly, by querying roles using the request, and relying upon WebLogic's internal LDAP server. Declarative security is passive; it actively doesn't `do' stuff but only waits for someone to pass through something it secures. Users make requests to post, which can be mapped to an Action class. I don't see how they are at odds. Nick Faiz. -Original Message- From: Jacqueline Gomes [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 February 2004 11:38 AM To: Struts Users Mailing List Subject: RE: How to create a "No Action" ActionForward Neither can I. There was no way with j_security_check that I could post to an Action class. So I implemented JAAS and in the module I interact with a Domain Facade that does the check with the database for a valid user. I then construct a User object and put that in the session. Each of my jsp's has a check (done using an include) for the user object and if it does not exist then it redirects to the login page. If anyone wants any code, let me know!! Jackie. -Original Message- From: Carl [mailto:[EMAIL PROTECTED] Sent: Monday, 23 February 2004 5:01 PM To: Struts Users Mailing List Subject: Re: How to create a "No Action" ActionForward By integarting with struts, I mean to have a loginAction witch fill the session with data about the logged user. I can't see how to manage that with classic j_security_check. regards, Carl Adam Hardy wrote: > Not having any roles effectively means from the container managed > security point of view that you have only one role. > > What problems did you have 'integrating' the container security? As far > as your app is concerned, j_security_check is not something that is > relevant. The whole login should be transparent to your app. As long as > you map the security constraints correctly, the user will never see a > protected page unless they login. > > Adam > > On 02/23/2004 08:54 AM Carl wrote: > >> I've faced the same issue too. (using tomcat) >> To solve it I've found 2 options : >> - implement a filter witch intercept each request an redirect if >> needed to the struts login action. It allow a good interaction with >> struts but no securty by container. >> - use the container : I do that by adding a CUSTOM login scheme along >> BASIC & FORM in org.apache.catalina.startup.Authenticators.properties. >> It's like the filter solution but use roles and the security is >> managed by the security constrains defined in web.xml. For now my >> CUSTUM login is similar to the FORM login, so it's not intergrated >> with struts, but I've planned to modify it soon. >> This second solution need too to define a Realm in : >> > appName="catalogue" >> userClassNames="com.asserina.atypone.catalogue.impl.ClientImpl" >> roleClassNames="com.asserina.atypone.catalogue.Role" /> >> >> (I'm using JAAS) >> >> To conclude I would say that the second option is far more powerfull >> and addaptable to specific needs however you have too look close to : >> JAAS, custom Realm, Authenticators.properties and is tide to your >> container (for me Tomcat) >> >> Let me know if you find quiker or simpler solutions, >> >> Regards, >> >> Carl >> >> >> >> Jacqueline Gomes wrote: >> >>> Hi James, >>> >>> I was also trying to do the same thing, however, we are using JRun >>> and we don't have any user 'roles'. Specifically, I wanted the >>> container to do the authorisation i.e if a user tried to access any >>> pages after /admin/* then they would be redirected to the >>> login page if they have not logged in. However, the application does >>> not have any 'roles' as such. The user is authenticated by calling a >>> stored procedure in the dbase. >>> >>> I tried to implement the j_security_check also but was having a tough >>> time
RE: How to create a "No Action" ActionForward
Neither can I. There was no way with j_security_check that I could post to an Action class. So I implemented JAAS and in the module I interact with a Domain Facade that does the check with the database for a valid user. I then construct a User object and put that in the session. Each of my jsp's has a check (done using an include) for the user object and if it does not exist then it redirects to the login page. If anyone wants any code, let me know!! Jackie. -Original Message- From: Carl [mailto:[EMAIL PROTECTED] Sent: Monday, 23 February 2004 5:01 PM To: Struts Users Mailing List Subject: Re: How to create a "No Action" ActionForward By integarting with struts, I mean to have a loginAction witch fill the session with data about the logged user. I can't see how to manage that with classic j_security_check. regards, Carl Adam Hardy wrote: > Not having any roles effectively means from the container managed > security point of view that you have only one role. > > What problems did you have 'integrating' the container security? As far > as your app is concerned, j_security_check is not something that is > relevant. The whole login should be transparent to your app. As long as > you map the security constraints correctly, the user will never see a > protected page unless they login. > > Adam > > On 02/23/2004 08:54 AM Carl wrote: > >> I've faced the same issue too. (using tomcat) >> To solve it I've found 2 options : >> - implement a filter witch intercept each request an redirect if >> needed to the struts login action. It allow a good interaction with >> struts but no securty by container. >> - use the container : I do that by adding a CUSTOM login scheme along >> BASIC & FORM in org.apache.catalina.startup.Authenticators.properties. >> It's like the filter solution but use roles and the security is >> managed by the security constrains defined in web.xml. For now my >> CUSTUM login is similar to the FORM login, so it's not intergrated >> with struts, but I've planned to modify it soon. >> This second solution need too to define a Realm in : >> > appName="catalogue" >> userClassNames="com.asserina.atypone.catalogue.impl.ClientImpl" >> roleClassNames="com.asserina.atypone.catalogue.Role" /> >> >> (I'm using JAAS) >> >> To conclude I would say that the second option is far more powerfull >> and addaptable to specific needs however you have too look close to : >> JAAS, custom Realm, Authenticators.properties and is tide to your >> container (for me Tomcat) >> >> Let me know if you find quiker or simpler solutions, >> >> Regards, >> >> Carl >> >> >> >> Jacqueline Gomes wrote: >> >>> Hi James, >>> >>> I was also trying to do the same thing, however, we are using JRun >>> and we don't have any user 'roles'. Specifically, I wanted the >>> container to do the authorisation i.e if a user tried to access any >>> pages after /admin/* then they would be redirected to the >>> login page if they have not logged in. However, the application does >>> not have any 'roles' as such. The user is authenticated by calling a >>> stored procedure in the dbase. >>> >>> I tried to implement the j_security_check also but was having a tough >>> time integrating it with the actionform etc. >>> Do you have any ideas as to how I would do this given that I don't >>> have any user roles in the application? I was going to add a 'user' >>> object in the session and check on each page if it exists. If it >>> doesn't then redirect the user back to the login page. I have set >>> the session.setMaxInactiveInterval(72000); >>> >>> Any help would be appreciated. >>> >>> Thanks, Jackie. >>> >>> -Original Message- >>> From: James Adams [mailto:[EMAIL PROTECTED] >>> Sent: Monday, 23 February 2004 4:43 AM >>> To: Struts Mailing List >>> Subject: Re: How to create a "No Action" ActionForward >>> >>> >>> I think Srikanth has hit the nail on the head, in that >>> I am not fully utilizing what is already available >>> with vanilla J2EE, namely security roles, >>> authorization constraints, and error pages, all of >>> which I can declare in the deployment descriptor of my >>> web app. But I still want to use a Struts component >>> for the authentication instead of
Re: How to create a "No Action" ActionForward
In your case you would have to write a filter that checks request.getRemoteUser() and session.getAttribute("myUserInfoBean"). If remoteUser is not null but your UserInfoBean is, then you know you have just got a user after going thro the container login, and you can get the data and make the session bean. On 02/23/2004 10:00 AM Carl wrote: By integarting with struts, I mean to have a loginAction witch fill the session with data about the logged user. I can't see how to manage that with classic j_security_check. regards, Carl Adam Hardy wrote: Not having any roles effectively means from the container managed security point of view that you have only one role. What problems did you have 'integrating' the container security? As far as your app is concerned, j_security_check is not something that is relevant. The whole login should be transparent to your app. As long as you map the security constraints correctly, the user will never see a protected page unless they login. Adam On 02/23/2004 08:54 AM Carl wrote: I've faced the same issue too. (using tomcat) To solve it I've found 2 options : - implement a filter witch intercept each request an redirect if needed to the struts login action. It allow a good interaction with struts but no securty by container. - use the container : I do that by adding a CUSTOM login scheme along BASIC & FORM in org.apache.catalina.startup.Authenticators.properties. It's like the filter solution but use roles and the security is managed by the security constrains defined in web.xml. For now my CUSTUM login is similar to the FORM login, so it's not intergrated with struts, but I've planned to modify it soon. This second solution need too to define a Realm in : userClassNames="com.asserina.atypone.catalogue.impl.ClientImpl" roleClassNames="com.asserina.atypone.catalogue.Role" /> (I'm using JAAS) To conclude I would say that the second option is far more powerfull and addaptable to specific needs however you have too look close to : JAAS, custom Realm, Authenticators.properties and is tide to your container (for me Tomcat) Let me know if you find quiker or simpler solutions, Regards, Carl Jacqueline Gomes wrote: Hi James, I was also trying to do the same thing, however, we are using JRun and we don't have any user 'roles'. Specifically, I wanted the container to do the authorisation i.e if a user tried to access any pages after /admin/* then they would be redirected to the login page if they have not logged in. However, the application does not have any 'roles' as such. The user is authenticated by calling a stored procedure in the dbase. I tried to implement the j_security_check also but was having a tough time integrating it with the actionform etc. Do you have any ideas as to how I would do this given that I don't have any user roles in the application? I was going to add a 'user' object in the session and check on each page if it exists. If it doesn't then redirect the user back to the login page. I have set the session.setMaxInactiveInterval(72000); Any help would be appreciated. Thanks, Jackie. -Original Message----- From: James Adams [mailto:[EMAIL PROTECTED] Sent: Monday, 23 February 2004 4:43 AM To: Struts Mailing List Subject: Re: How to create a "No Action" ActionForward I think Srikanth has hit the nail on the head, in that I am not fully utilizing what is already available with vanilla J2EE, namely security roles, authorization constraints, and error pages, all of which I can declare in the deployment descriptor of my web app. But I still want to use a Struts component for the authentication instead of a more traditional form-based authentication scheme. Let me outline below what is, I think, a much better approach and kindly ask for comments, as I'm not certain that this will work or if it's actually the smartest way to go. I would like to use a Struts Action class to handle my login form, instead of vanilla form-based authentication, i.e. "j_security_check", for two reasons: 1) form-based authentication is not very secure since it passes the user name and password across the network in clear text, and 2) I want to use a LDAP server (within my login Action class) to do the authentication, and this would not be possible using plain form-based authentication. So the plan is to have a form in my Login.jsp with the form's action being the login Action class. The login Action class will connect to the LDAP server and try to authenticate using the username and password supplied as form inputs. If the authentication succeeds then the user's session is set with the user's role (also retrieved from the LDAP server), and then the control is forwarded to the first "logged in" welcome page. If the authentication fails
Re: How to create a "No Action" ActionForward
By integarting with struts, I mean to have a loginAction witch fill the session with data about the logged user. I can't see how to manage that with classic j_security_check. regards, Carl Adam Hardy wrote: Not having any roles effectively means from the container managed security point of view that you have only one role. What problems did you have 'integrating' the container security? As far as your app is concerned, j_security_check is not something that is relevant. The whole login should be transparent to your app. As long as you map the security constraints correctly, the user will never see a protected page unless they login. Adam On 02/23/2004 08:54 AM Carl wrote: I've faced the same issue too. (using tomcat) To solve it I've found 2 options : - implement a filter witch intercept each request an redirect if needed to the struts login action. It allow a good interaction with struts but no securty by container. - use the container : I do that by adding a CUSTOM login scheme along BASIC & FORM in org.apache.catalina.startup.Authenticators.properties. It's like the filter solution but use roles and the security is managed by the security constrains defined in web.xml. For now my CUSTUM login is similar to the FORM login, so it's not intergrated with struts, but I've planned to modify it soon. This second solution need too to define a Realm in : userClassNames="com.asserina.atypone.catalogue.impl.ClientImpl" roleClassNames="com.asserina.atypone.catalogue.Role" /> (I'm using JAAS) To conclude I would say that the second option is far more powerfull and addaptable to specific needs however you have too look close to : JAAS, custom Realm, Authenticators.properties and is tide to your container (for me Tomcat) Let me know if you find quiker or simpler solutions, Regards, Carl Jacqueline Gomes wrote: Hi James, I was also trying to do the same thing, however, we are using JRun and we don't have any user 'roles'. Specifically, I wanted the container to do the authorisation i.e if a user tried to access any pages after /admin/* then they would be redirected to the login page if they have not logged in. However, the application does not have any 'roles' as such. The user is authenticated by calling a stored procedure in the dbase. I tried to implement the j_security_check also but was having a tough time integrating it with the actionform etc. Do you have any ideas as to how I would do this given that I don't have any user roles in the application? I was going to add a 'user' object in the session and check on each page if it exists. If it doesn't then redirect the user back to the login page. I have set the session.setMaxInactiveInterval(72000); Any help would be appreciated. Thanks, Jackie. -Original Message- From: James Adams [mailto:[EMAIL PROTECTED] Sent: Monday, 23 February 2004 4:43 AM To: Struts Mailing List Subject: Re: How to create a "No Action" ActionForward I think Srikanth has hit the nail on the head, in that I am not fully utilizing what is already available with vanilla J2EE, namely security roles, authorization constraints, and error pages, all of which I can declare in the deployment descriptor of my web app. But I still want to use a Struts component for the authentication instead of a more traditional form-based authentication scheme. Let me outline below what is, I think, a much better approach and kindly ask for comments, as I'm not certain that this will work or if it's actually the smartest way to go. I would like to use a Struts Action class to handle my login form, instead of vanilla form-based authentication, i.e. "j_security_check", for two reasons: 1) form-based authentication is not very secure since it passes the user name and password across the network in clear text, and 2) I want to use a LDAP server (within my login Action class) to do the authentication, and this would not be possible using plain form-based authentication. So the plan is to have a form in my Login.jsp with the form's action being the login Action class. The login Action class will connect to the LDAP server and try to authenticate using the username and password supplied as form inputs. If the authentication succeeds then the user's session is set with the user's role (also retrieved from the LDAP server), and then the control is forwarded to the first "logged in" welcome page. If the authentication fails then the appropriate error message ("Login failed - try again") will be added to the ActionErrors and control is forwarded back to the login page, which will display the ActionError message via a tag, and allow the user to try again. In order to accomplish session authorization of a session for each *.jsp of the application I will declare a se
Re: How to create a "No Action" ActionForward
Not having any roles effectively means from the container managed security point of view that you have only one role. What problems did you have 'integrating' the container security? As far as your app is concerned, j_security_check is not something that is relevant. The whole login should be transparent to your app. As long as you map the security constraints correctly, the user will never see a protected page unless they login. Adam On 02/23/2004 08:54 AM Carl wrote: I've faced the same issue too. (using tomcat) To solve it I've found 2 options : - implement a filter witch intercept each request an redirect if needed to the struts login action. It allow a good interaction with struts but no securty by container. - use the container : I do that by adding a CUSTOM login scheme along BASIC & FORM in org.apache.catalina.startup.Authenticators.properties. It's like the filter solution but use roles and the security is managed by the security constrains defined in web.xml. For now my CUSTUM login is similar to the FORM login, so it's not intergrated with struts, but I've planned to modify it soon. This second solution need too to define a Realm in : userClassNames="com.asserina.atypone.catalogue.impl.ClientImpl" roleClassNames="com.asserina.atypone.catalogue.Role" /> (I'm using JAAS) To conclude I would say that the second option is far more powerfull and addaptable to specific needs however you have too look close to : JAAS, custom Realm, Authenticators.properties and is tide to your container (for me Tomcat) Let me know if you find quiker or simpler solutions, Regards, Carl Jacqueline Gomes wrote: Hi James, I was also trying to do the same thing, however, we are using JRun and we don't have any user 'roles'. Specifically, I wanted the container to do the authorisation i.e if a user tried to access any pages after /admin/* then they would be redirected to the login page if they have not logged in. However, the application does not have any 'roles' as such. The user is authenticated by calling a stored procedure in the dbase. I tried to implement the j_security_check also but was having a tough time integrating it with the actionform etc. Do you have any ideas as to how I would do this given that I don't have any user roles in the application? I was going to add a 'user' object in the session and check on each page if it exists. If it doesn't then redirect the user back to the login page. I have set the session.setMaxInactiveInterval(72000); Any help would be appreciated. Thanks, Jackie. -Original Message- From: James Adams [mailto:[EMAIL PROTECTED] Sent: Monday, 23 February 2004 4:43 AM To: Struts Mailing List Subject: Re: How to create a "No Action" ActionForward I think Srikanth has hit the nail on the head, in that I am not fully utilizing what is already available with vanilla J2EE, namely security roles, authorization constraints, and error pages, all of which I can declare in the deployment descriptor of my web app. But I still want to use a Struts component for the authentication instead of a more traditional form-based authentication scheme. Let me outline below what is, I think, a much better approach and kindly ask for comments, as I'm not certain that this will work or if it's actually the smartest way to go. I would like to use a Struts Action class to handle my login form, instead of vanilla form-based authentication, i.e. "j_security_check", for two reasons: 1) form-based authentication is not very secure since it passes the user name and password across the network in clear text, and 2) I want to use a LDAP server (within my login Action class) to do the authentication, and this would not be possible using plain form-based authentication. So the plan is to have a form in my Login.jsp with the form's action being the login Action class. The login Action class will connect to the LDAP server and try to authenticate using the username and password supplied as form inputs. If the authentication succeeds then the user's session is set with the user's role (also retrieved from the LDAP server), and then the control is forwarded to the first "logged in" welcome page. If the authentication fails then the appropriate error message ("Login failed - try again") will be added to the ActionErrors and control is forwarded back to the login page, which will display the ActionError message via a tag, and allow the user to try again. In order to accomplish session authorization of a session for each *.jsp of the application I will declare a security constraint in the web.xml, like so: Restricted Pages *.jsp admin customer With the above I will get automatic checking of the user's role b
Re: How to create a "No Action" ActionForward
I've faced the same issue too. (using tomcat) To solve it I've found 2 options : - implement a filter witch intercept each request an redirect if needed to the struts login action. It allow a good interaction with struts but no securty by container. - use the container : I do that by adding a CUSTOM login scheme along BASIC & FORM in org.apache.catalina.startup.Authenticators.properties. It's like the filter solution but use roles and the security is managed by the security constrains defined in web.xml. For now my CUSTUM login is similar to the FORM login, so it's not intergrated with struts, but I've planned to modify it soon. This second solution need too to define a Realm in : appName="catalogue" userClassNames="com.asserina.atypone.catalogue.impl.ClientImpl" roleClassNames="com.asserina.atypone.catalogue.Role" /> (I'm using JAAS) To conclude I would say that the second option is far more powerfull and addaptable to specific needs however you have too look close to : JAAS, custom Realm, Authenticators.properties and is tide to your container (for me Tomcat) Let me know if you find quiker or simpler solutions, Regards, Carl Jacqueline Gomes wrote: Hi James, I was also trying to do the same thing, however, we are using JRun and we don't have any user 'roles'. Specifically, I wanted the container to do the authorisation i.e if a user tried to access any pages after /admin/* then they would be redirected to the login page if they have not logged in. However, the application does not have any 'roles' as such. The user is authenticated by calling a stored procedure in the dbase. I tried to implement the j_security_check also but was having a tough time integrating it with the actionform etc. Do you have any ideas as to how I would do this given that I don't have any user roles in the application? I was going to add a 'user' object in the session and check on each page if it exists. If it doesn't then redirect the user back to the login page. I have set the session.setMaxInactiveInterval(72000); Any help would be appreciated. Thanks, Jackie. -Original Message- From: James Adams [mailto:[EMAIL PROTECTED] Sent: Monday, 23 February 2004 4:43 AM To: Struts Mailing List Subject: Re: How to create a "No Action" ActionForward I think Srikanth has hit the nail on the head, in that I am not fully utilizing what is already available with vanilla J2EE, namely security roles, authorization constraints, and error pages, all of which I can declare in the deployment descriptor of my web app. But I still want to use a Struts component for the authentication instead of a more traditional form-based authentication scheme. Let me outline below what is, I think, a much better approach and kindly ask for comments, as I'm not certain that this will work or if it's actually the smartest way to go. I would like to use a Struts Action class to handle my login form, instead of vanilla form-based authentication, i.e. "j_security_check", for two reasons: 1) form-based authentication is not very secure since it passes the user name and password across the network in clear text, and 2) I want to use a LDAP server (within my login Action class) to do the authentication, and this would not be possible using plain form-based authentication. So the plan is to have a form in my Login.jsp with the form's action being the login Action class. The login Action class will connect to the LDAP server and try to authenticate using the username and password supplied as form inputs. If the authentication succeeds then the user's session is set with the user's role (also retrieved from the LDAP server), and then the control is forwarded to the first "logged in" welcome page. If the authentication fails then the appropriate error message ("Login failed - try again") will be added to the ActionErrors and control is forwarded back to the login page, which will display the ActionError message via a tag, and allow the user to try again. In order to accomplish session authorization of a session for each *.jsp of the application I will declare a security constraint in the web.xml, like so: Restricted Pages *.jsp admin customer With the above I will get automatic checking of the user's role by the container at each access of any *.jsp, and anyone accessing a *.jsp without an appropriate role set in their session will not be allowed to access the page. If the user is not in the appropriate role then I can forward to an error page by declaring an in the deployment descriptor. The above authorization strategy takes care of what I was trying to accomplish with my SessionValidator Action class idea from before, which was to check for a "loggedIn"
RE: How to create a "No Action" ActionForward
Hi James, I was also trying to do the same thing, however, we are using JRun and we don't have any user 'roles'. Specifically, I wanted the container to do the authorisation i.e if a user tried to access any pages after /admin/* then they would be redirected to the login page if they have not logged in. However, the application does not have any 'roles' as such. The user is authenticated by calling a stored procedure in the dbase. I tried to implement the j_security_check also but was having a tough time integrating it with the actionform etc. Do you have any ideas as to how I would do this given that I don't have any user roles in the application? I was going to add a 'user' object in the session and check on each page if it exists. If it doesn't then redirect the user back to the login page. I have set the session.setMaxInactiveInterval(72000); Any help would be appreciated. Thanks, Jackie. -Original Message- From: James Adams [mailto:[EMAIL PROTECTED] Sent: Monday, 23 February 2004 4:43 AM To: Struts Mailing List Subject: Re: How to create a "No Action" ActionForward I think Srikanth has hit the nail on the head, in that I am not fully utilizing what is already available with vanilla J2EE, namely security roles, authorization constraints, and error pages, all of which I can declare in the deployment descriptor of my web app. But I still want to use a Struts component for the authentication instead of a more traditional form-based authentication scheme. Let me outline below what is, I think, a much better approach and kindly ask for comments, as I'm not certain that this will work or if it's actually the smartest way to go. I would like to use a Struts Action class to handle my login form, instead of vanilla form-based authentication, i.e. "j_security_check", for two reasons: 1) form-based authentication is not very secure since it passes the user name and password across the network in clear text, and 2) I want to use a LDAP server (within my login Action class) to do the authentication, and this would not be possible using plain form-based authentication. So the plan is to have a form in my Login.jsp with the form's action being the login Action class. The login Action class will connect to the LDAP server and try to authenticate using the username and password supplied as form inputs. If the authentication succeeds then the user's session is set with the user's role (also retrieved from the LDAP server), and then the control is forwarded to the first "logged in" welcome page. If the authentication fails then the appropriate error message ("Login failed - try again") will be added to the ActionErrors and control is forwarded back to the login page, which will display the ActionError message via a tag, and allow the user to try again. In order to accomplish session authorization of a session for each *.jsp of the application I will declare a security constraint in the web.xml, like so: Restricted Pages *.jsp admin customer With the above I will get automatic checking of the user's role by the container at each access of any *.jsp, and anyone accessing a *.jsp without an appropriate role set in their session will not be allowed to access the page. If the user is not in the appropriate role then I can forward to an error page by declaring an in the deployment descriptor. The above authorization strategy takes care of what I was trying to accomplish with my SessionValidator Action class idea from before, which was to check for a "loggedIn" session attribute before allowing a user to continue with page processing. In fact it is even better, in that it allows the flexibility of allowing different roles and authorization of pages based on roles and not just on a single "loggedIn" flag. I am not sure how I will programmatically set the user's role in the login Action class execute() method. Is it as simple as just setting a session attribute named "role" ? Thanks in advance for your insight. -James __ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to create a "No Action" ActionForward
I think Srikanth has hit the nail on the head, in that I am not fully utilizing what is already available with vanilla J2EE, namely security roles, authorization constraints, and error pages, all of which I can declare in the deployment descriptor of my web app. But I still want to use a Struts component for the authentication instead of a more traditional form-based authentication scheme. Let me outline below what is, I think, a much better approach and kindly ask for comments, as I'm not certain that this will work or if it's actually the smartest way to go. I would like to use a Struts Action class to handle my login form, instead of vanilla form-based authentication, i.e. "j_security_check", for two reasons: 1) form-based authentication is not very secure since it passes the user name and password across the network in clear text, and 2) I want to use a LDAP server (within my login Action class) to do the authentication, and this would not be possible using plain form-based authentication. So the plan is to have a form in my Login.jsp with the form's action being the login Action class. The login Action class will connect to the LDAP server and try to authenticate using the username and password supplied as form inputs. If the authentication succeeds then the user's session is set with the user's role (also retrieved from the LDAP server), and then the control is forwarded to the first "logged in" welcome page. If the authentication fails then the appropriate error message ("Login failed - try again") will be added to the ActionErrors and control is forwarded back to the login page, which will display the ActionError message via a tag, and allow the user to try again. In order to accomplish session authorization of a session for each *.jsp of the application I will declare a security constraint in the web.xml, like so: Restricted Pages *.jsp admin customer With the above I will get automatic checking of the user's role by the container at each access of any *.jsp, and anyone accessing a *.jsp without an appropriate role set in their session will not be allowed to access the page. If the user is not in the appropriate role then I can forward to an error page by declaring an in the deployment descriptor. The above authorization strategy takes care of what I was trying to accomplish with my SessionValidator Action class idea from before, which was to check for a "loggedIn" session attribute before allowing a user to continue with page processing. In fact it is even better, in that it allows the flexibility of allowing different roles and authorization of pages based on roles and not just on a single "loggedIn" flag. I am not sure how I will programmatically set the user's role in the login Action class execute() method. Is it as simple as just setting a session attribute named "role" ? Thanks in advance for your insight. -James __ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to create a "No Action" ActionForward for return from an Action's execute() ?
Jim, What you really want to achieve is best done outside Struts. Basically you are trying to achieve two things: 1)First, a user not logged in should be forwarded to a login page. 2)Second, prevent unauthorized users from not accessing the page. This is best done by using J2EE security. Use j_security_check in your login page and associate the logged in user with a role. Protect the resources by associating them with that role. Add a to web.xml so that users who are not logged in, are automatically forwarded to login page. >From your second part of the description that you want to stay in the same page when logged in - it seems you are using JSP Model 1 Architecture. But anyway, if the above security model is implemented, you dont need any filter, RequestProcessor extension or Struts Action. Your problem is solved. In your JSP, just point the link or button or form submission always to the same JSP. If the user is not authenticated J2EE container security will forward to login page. If not you will continue to stay in the same page Hope that helps, Srikanth Shenoy == Author: Struts Survival Guide ObjectSource Publications http://www.objectsource.com == >>I am including this session validator on each JSP of >>my application to check to make sure that a user is >>logged in, and if not I forward to the login page. >>There really is no logic involved other than >>if (loggedIn) >>{ >> // stay on current page >>} >>else >>{ >> // go to login page >>} - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to create a "No Action" ActionForward for return from an Action's execute() ?
> From: James Adams [mailto:[EMAIL PROTECTED] > To further clarify what I want to do, in case it will > lead to more pointed suggestions - I am including this > session validator on each JSP of my application to > check to make sure that a user is logged in, and if > not I forward to the login page. There really is no > logic involved other than IMO, the JSP is *way* too late to be deciding whether the person is allowed to be there or not. A Filter catches the request on the way in, and it never gets anywhere near your Struts code, much less the JSP. (You are running all requests through an Action first, and not allowing direct access to JSP's, right?) I prefer the Filter because it's not Struts specific. It just looks for a cookie or looks for something in the request or session, and either lets the request pass through or redirects elsewhere. -- Wendy Smoak Application Systems Analyst, Sr. ASU IA Information Resources Management - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to create a "No Action" ActionForward for return from an Action's execute() ?
Thanks for all of the suggestions on how to solve this problem. You have all given good ideas and introduced me to concepts that I am unfamiliar with as a beginner with Struts. To further clarify what I want to do, in case it will lead to more pointed suggestions - I am including this session validator on each JSP of my application to check to make sure that a user is logged in, and if not I forward to the login page. There really is no logic involved other than if (loggedIn) { // stay on current page } else { // go to login page } I have done this before by including a servlet on each page which directs to the login page if the user wasn't logged in. If this further information leads you to conclude that one approach is superior/simpler to another (it looks like using a Filter or RequestProcessor.processPreprocess() is the concensus) then I will certainly appreciate any further suggestions. Also, if I decide to use the RequestProcessor, which seems best, how do I configure it ? I assume that I just put an entry in the struts-config.xml and specify the class of the RequestProcessor (I didn't find anything on this in the User's Guide). Again thanks for helping me out with this. -James __ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to create a "No Action" ActionForward for return from an Action's execute() ?
protected boolean processPreprocess( HttpServletRequest request, HttpServletResponse response) { boolean continueProcessing = true; HttpSession session = request.getSession(false); if (session == null) { continueProcessing = false; try { response.sendRedirect("/AppName/login.jsp"); } catch (Exception e) { log.error(e.getMessage()); } } return continueProcessing; } Anderson, James H [IT] wrote: How would you forward the user to the login page? The processPreprocess() method returns true or false. -Original Message- From: Brad Balmer [mailto:[EMAIL PROTECTED] Sent: Thursday, February 19, 2004 1:47 PM To: Struts Users Mailing List Subject: Re: How to create a "No Action" ActionForward for return from an Action's execute() ? While you can use a filter to do this, why not extend the RequestProcessor class? By overriding the processPreprocess function you can check for your flag. If found simply return true to continue processing. Otherwise forward the user onto the login page. * *James Adams wrote: I have created an Action class which does session validation by checking to see if a "loggedIn" flag is set in the session - if it is absent, or set to false, then I want to forward to the login page. However if it is set to true then I don't want to do anything - the execute() method should just complete and control should return to the calling page. But the execute() method must return an ActionForward, and it is impossible to specify a forward name/path for this case in the struts-config.xml since the path should be the path of the page that the action is being called from, and there is no way to know this information beforehand. So I am wondering how can I (within the execute() method of the SessionValidatorAction) create an ActionForward to return which will indicate the path of the calling page ? Is there a way to create and return a "No Action" ActionForward ? Can I just return null ? I am including the action at the top of the JSPs via The action mapping I'm currently using looks like this Is this the right approach/design ? If so how can I return an ActionForward from the SessionValidatorAction's execute() method which forwards control back to the calling page ? If not then how else should I go about this ? Thanks in advance for your feedback. Please Cc: any rsponses to this email address. -James __ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to create a "No Action" ActionForward for return from an Action's execute() ?
How would you forward the user to the login page? The processPreprocess() method returns true or false. -Original Message- From: Brad Balmer [mailto:[EMAIL PROTECTED] Sent: Thursday, February 19, 2004 1:47 PM To: Struts Users Mailing List Subject: Re: How to create a "No Action" ActionForward for return from an Action's execute() ? While you can use a filter to do this, why not extend the RequestProcessor class? By overriding the processPreprocess function you can check for your flag. If found simply return true to continue processing. Otherwise forward the user onto the login page. * *James Adams wrote: >I have created an Action class which does session >validation by checking to see if a "loggedIn" flag is >set in the session - if it is absent, or set to false, >then I want to forward to the login page. However if >it is set to true then I don't want to do anything - >the execute() method should just complete and control >should return to the calling page. But the execute() >method must return an ActionForward, and it is >impossible to specify a forward name/path for this >case in the struts-config.xml since the path should be >the path of the page that the action is being called >from, and there is no way to know this information >beforehand. So I am wondering how can I (within the >execute() method of the SessionValidatorAction) create >an ActionForward to return which will indicate the >path of the calling page ? Is there a way to create >and return a "No Action" ActionForward ? Can I just >return null ? > >I am including the action at the top of the JSPs via > > > > > >The action mapping I'm currently using looks like this > > >type="mypkg.action.SessionValidatorAction"> >path="Login.jsp"/> > > > > >Is this the right approach/design ? If so how can I >return an ActionForward from the >SessionValidatorAction's execute() method which >forwards control back to the calling page ? If not >then how else should I go about this ? > >Thanks in advance for your feedback. Please Cc: any >rsponses to this email address. > > >-James > >__ >Do you Yahoo!? >Yahoo! Mail SpamGuard - Read only the mail you want. >http://antispam.yahoo.com/tools > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to create a "No Action" ActionForward for return from an Action's execute() ?
At 12:46 PM -0600 2/19/04, Brad Balmer wrote: While you can use a filter to do this, why not extend the RequestProcessor class? By overriding the processPreprocess function you can check for your flag. If found simply return true to continue processing. Otherwise forward the user onto the login page. I thought about suggesting this, but in processPreprocess, it might be complicated for the logic check to know whether the person is approaching an action which required a valid session. Doing it in the Action means you have the ActionMapping as a very easy place to hang information about whether or not validation is required. If you can structure your app so that you can do a check like this based on a URL fragment, then using a ServletFilter or extending RequestProcessor are good ideas -- in fact, better, if you ask me, because then you don't burn your single inheritance for your Action classes. Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to create a "No Action" ActionForward for return from an Action's execute() ?
While you can use a filter to do this, why not extend the RequestProcessor class? By overriding the processPreprocess function you can check for your flag. If found simply return true to continue processing. Otherwise forward the user onto the login page. * *James Adams wrote: I have created an Action class which does session validation by checking to see if a "loggedIn" flag is set in the session - if it is absent, or set to false, then I want to forward to the login page. However if it is set to true then I don't want to do anything - the execute() method should just complete and control should return to the calling page. But the execute() method must return an ActionForward, and it is impossible to specify a forward name/path for this case in the struts-config.xml since the path should be the path of the page that the action is being called from, and there is no way to know this information beforehand. So I am wondering how can I (within the execute() method of the SessionValidatorAction) create an ActionForward to return which will indicate the path of the calling page ? Is there a way to create and return a "No Action" ActionForward ? Can I just return null ? I am including the action at the top of the JSPs via The action mapping I'm currently using looks like this Is this the right approach/design ? If so how can I return an ActionForward from the SessionValidatorAction's execute() method which forwards control back to the calling page ? If not then how else should I go about this ? Thanks in advance for your feedback. Please Cc: any rsponses to this email address. -James __ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to create a "No Action" ActionForward for return from an Action's execute() ?
Can I just return null ? No. Returning null signals Struts that the Action has done everything necessary for the response, and there is nothing for Struts to forward to. That doesn't sound like what you want, or at least not completely. If you want to send the person back to the calling page when different pages may be calling, you'd need to look at the request -- perhaps you could use the REFERRER header and send a redirect or return an instantly created ActionForward forwarding to that path. If you sent a redirect, you'd return null. Without understanding your situation completely, I'd think a better response would be to do session validation somewhere else, instead of in a single action. The simplest way would probably be to write an abstract base class, BaseSessionValidatingAction, and implement the validation in that classes 'execute' method; then if validation passes, have the base action call an abstract method like 'executeValidated(...)' which your subclasses would implement. Does that fit the bill? Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to create a "No Action" ActionForward for return from an Action's execute() ?
I use a a Servlet Filter to achieve this. This filter intercepts request before Struts gets it's hands on the request. Paul > -Original Message- > From: James Adams [mailto:[EMAIL PROTECTED] > Sent: 19 February 2004 18:17 > To: [EMAIL PROTECTED] > Subject: How to create a "No Action" ActionForward for return from an > Action's execute() ? > > > I have created an Action class which does session > validation by checking to see if a "loggedIn" flag is > set in the session - if it is absent, or set to false, > then I want to forward to the login page. However if > it is set to true then I don't want to do anything - > the execute() method should just complete and control > should return to the calling page. But the execute() > method must return an ActionForward, and it is > impossible to specify a forward name/path for this > case in the struts-config.xml since the path should be > the path of the page that the action is being called > from, and there is no way to know this information > beforehand. So I am wondering how can I (within the > execute() method of the SessionValidatorAction) create > an ActionForward to return which will indicate the > path of the calling page ? Is there a way to create > and return a "No Action" ActionForward ? Can I just > return null ? > > I am including the action at the top of the JSPs via > > > > > > The action mapping I'm currently using looks like this > > > type="mypkg.action.SessionValidatorAction"> > path="Login.jsp"/> > > > > > Is this the right approach/design ? If so how can I > return an ActionForward from the > SessionValidatorAction's execute() method which > forwards control back to the calling page ? If not > then how else should I go about this ? > > Thanks in advance for your feedback. Please Cc: any > rsponses to this email address. > > > -James > > __ > Do you Yahoo!? > Yahoo! Mail SpamGuard - Read only the mail you want. > http://antispam.yahoo.com/tools > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > ** Axios Email Confidentiality Footer Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet email messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my Company or employer unless otherwise indicated by an authorised representative independent of this message. WARNING: While Axios Systems Ltd takes steps to prevent computer viruses from being transmitted via electronic mail attachments we cannot guarantee that attachments do not contain computer virus code. You are therefore strongly advised to undertake anti virus checks prior to accessing the attachment to this electronic mail. Axios Systems Ltd grants no warranties regarding performance use or quality of any attachment and undertakes no liability for loss or damage howsoever caused. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to create a "No Action" ActionForward for return from an Action's execute() ?
> From: James Adams [mailto:[EMAIL PROTECTED] > I have created an Action class which does session > validation by checking to see if a "loggedIn" flag is > set in the session - if it is absent, or set to false, > then I want to forward to the login page. Have you considered using a Filter instead? Then you can send the request where it belongs before it ever gets to the Action. -- Wendy Smoak Application Systems Analyst, Sr. ASU IA Information Resources Management - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to create a "No Action" ActionForward for return from an Action's execute() ?
I have created an Action class which does session validation by checking to see if a "loggedIn" flag is set in the session - if it is absent, or set to false, then I want to forward to the login page. However if it is set to true then I don't want to do anything - the execute() method should just complete and control should return to the calling page. But the execute() method must return an ActionForward, and it is impossible to specify a forward name/path for this case in the struts-config.xml since the path should be the path of the page that the action is being called from, and there is no way to know this information beforehand. So I am wondering how can I (within the execute() method of the SessionValidatorAction) create an ActionForward to return which will indicate the path of the calling page ? Is there a way to create and return a "No Action" ActionForward ? Can I just return null ? I am including the action at the top of the JSPs via The action mapping I'm currently using looks like this Is this the right approach/design ? If so how can I return an ActionForward from the SessionValidatorAction's execute() method which forwards control back to the calling page ? If not then how else should I go about this ? Thanks in advance for your feedback. Please Cc: any rsponses to this email address. -James __ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]