Re: Best way to forward to login, then re-forward to originally requested resource?

2002-05-29 Thread Charles Brault 

This question seems to come up frequently, probably should be in a FAQ. 
Using Servlet Filters is one approach. If you are using Struts 1.1 (in 
1.0.2 it's slightly different), and want to use a Struts approach, try 
the following.

I have an application that requires everyone to log in and certain 
information to be in session before anything else can be done. In order 
to prevent users from bookmarking a page and jumping into it without 
having first logged in, I have to check every incoming request for a 
valid session.

IMHO, the easiest way to do this is to override one or more methods in 
the RequestProcessor (if you are using Struts 1.1). If you don't have 
the Struts source you need to obtain it and look at: 
org.apache.struts.action.RequestProcessor. The processPreprocess method 
simply returns true on each invocation. However, if you override the 
original code, and add your own checks, you can "filter" all the 
incoming requests for anything that's relevant to your situation.

For example, in the following, we check to see if the incoming request 
is one of 3 possible pages, returning true if it is, false otherwise. 
Obviously, you'd need to do other things to handle other types of pages.

public class TDRequestProcessor extends RequestProcessor {

protected boolean processPreprocess(HttpServletRequest request,
 HttpServletResponse response) {




String requri =  request.getRequestURI();

// first check the URI, if it's Splash, help  or index.jsp, user   
 is 
attempting to login
String path = requri.substring(requri.lastIndexOf("/") + 1);

if (path.equalsIgnoreCase("splash") ||  
path.equalsIgnoreCase("logon")|| 
path.equalsIgnoreCase("index.jsp")
|| path.equalsIgnoreCase("logonhelp")) {
return true;
}

return false;

}



}


Every request will funnel through this method. So you can check for 
objects in session and take appropriate forwarding actions if you don't 
obtain what's expected.

You will need to add the following to the bottom (check the TLD for the 
exact location) of the struts-config.xml file:





-- 
Charles E Brault
[EMAIL PROTECTED]
"Where are we going, and why am I in this handbasket?"


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: Best way to forward to login, then re-forward to originally requested resource?

2002-05-29 Thread Tero P Paananen 

> Well, let's say for the sake of argument, that it's not 
> authentication we're talking about. Let's say, instead,
> that in order to perform  some Action B,
> some other Action A must be done first. However, doing A does not
> necessarily mean you'll do B next. What's the best way to 
> "remember" that B was what the user wanted to do, but
> forward them to A first?

WebSphere uses a cookie to store this information when
you're using container based authentication.

Tomcat uses a session attribute.

-TPP

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: Best way to forward to login,then re-forward to originally requested resource?

2002-05-29 Thread Alex Paransky 

Rick,

I recently had a similar problem.  Using J2EE security, I was not sure how
to "detect" a user login.  After all, a user can go into ANY protected page,
and I did not want to put the same tag in to EVERY single .JSP page that was
protected.

The solution, at least in my case, came in a form a filter.  I installed a
filter, which checks every single request to the server.  For each request,
I check to see if the user is authenticated by retrieving the principal.
When I detect that the user has logged in, I perform some action, and note
in the session that this has been done before.

This works for me

Here is my doFilter code:

final HttpServletRequest
  request = (HttpServletRequest) req;

final HttpSession
  session = request.getSession(false);

if (session != null && session.getAttribute(USER_LOGIN_CHECK) == null) {
  final Principal principal = request.getUserPrincipal();

  if (principal != null) {
session.setAttribute(USER_LOGIN_CHECK, new Boolean(true));
action.userLoggedIn(principal.getName(), req, res);
  }
}

chain.doFilter(req, res);

-AP_
http://www.myprofiles.com/member/profile/apara_personal

-Original Message-
From: Rick Mann [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 29, 2002 1:02 AM
To: Struts Users Mailing List
Subject: Re: Best way to forward to login, then re-forward to originally
requested resource?


on 5/28/02 11:59 PM, Adam Hardy at [EMAIL PROTECTED] wrote:

> I wouild save the form bean and a mapping or action forward in the
> session, and collect them when the in-between task is finished.

Yeah, I was thinking of that, too.

Okay, so here's the struts-specific problem: how do I get the name of the
action in a way that I can use later to generate an ActionForward? If I call
mapping.getPath(), I get the path used in the mapping, but it will be
"outside" of the pattern set up in the deployment descriptor. Typically, it
will not end in ".do".

Right now, I do this:

forward = new ActionForward();
forward.setContextRelative(true);
forward.setPath(originalResource + ".do");

This works, but won't work if the original resource was a .jsp. (I'd like to
put a tag at the top of a JSP to check for a valid login). In fact, it
doesn't work in the general case (say the deployment action servlet mapping
is "/action/*" instead of "*.do").

Perhaps I just don't understand container-managed security well enough. How
can I cause one of my User objects to be created in the session when the
user gets authenticated? As far as what's provided by the server, it just
sets a user name (and principal) available to servlets. I suppose I could
look for the user, and if it's not found, create one based on the result of
isUserInRole() et al., but it just seems less than elegant. I'll post a more
general question to the Tomcat list.


--
Rick



--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Best way to forward to login,then re-forward to originally requested resource?

2002-05-28 Thread Alex Paransky 

Why not use J2EE/WEB standard container authentication?  It will do what you
want.  In fact, it was designed to do what you want, which is called Lazy,
or just in time, authentication.  The user can surf your page, however, when
he links to a protected item, a login page (of your choosing) will be
displayed.  After the user is authenticated, the proceeds to the protected
resource.

-AP_
http://www.myprofiles.com/member/profile/apara_personal

-Original Message-
From: Rick Mann [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 28, 2002 3:53 PM
To: Struts Users Mailing List
Subject: Best way to forward to login, then re-forward to originally
requested resource?


I've got a typical struts application up and running. Certain actions check
to see if the user is logged in, and if not, forward to a login JSP. That
JSP then posts to a LoginAction. The LoginAction then forwards back to the
originally requested action.

The problem I have is that currently, this stuff is really hacked up. The
login JSP has a hidden field indicating the desired action, and the action
has to append a ".do" to that value, etc. The original action puts a request
attribute in (the result of it calling mapping.getPath()).

Surely, there is a much cleaner way to do this, one that works for both
Actions and JSPs, and that works without special code to handle the URL
mapping for actions.

TIA,

--
Rick



--
To unsubscribe, e-mail:

For additional commands, e-mail:




--
To unsubscribe, e-mail:   
For additional commands, e-mail: