RE: Force login...

2001-11-02 Thread Sobkowski, Andrej 

Hello All,

by using a JSP tag to check if the user is logged, aren't you mixing somehow
logic and presentation? In theory, you should provide a way that is
independent of the fact that you store your user in the session (though
Struts does it that way). Furthermore, you may need to not only check if the
user is logged, but also if he/she has specific permissions/roles...

My suggestion would be similar to Peter's:
- subclass the Action class with your own with a checkLogon() method that
throws an exception if the user is not logged (the extension would be
defining a checkAuthorization(auth))
- at the beginning at the main command method of each _Action_ that requires
the user to be logged id, do something like

  public ActionForward perform(...) {
try {
  checkLogon();

// Add here business logic if user is logged in
...

} catch (UserNotLoggedException e) {
// React to user not logged (or not authorized)
// Probably forward to login page...
}   
  }

What do you think?

Andrej

-Original Message-
From: Peter Pilgrim [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 02, 2001 11:11 AM
To: Struts Users Mailing List
Subject: Re: Force login...




To do it properly you have to:

(1) Write a abstract base class, say `SecureActionBase' that provide
security methods
"checkLogon()". Write a default implementation of `checkLogin' that
subclasser can
override. If no user is not longer return an action mapping forward that
redirects
to the "login". Otherwise let the user continue.

(2) Borrow the `CheckLoginTag' from the Struts example and use it as it is,
or modify it.
You put the checklogin tag at the beginning of your JSPs.

(3) Extend the Struts ActionServlet with a custom class for your project
that will enable you
to look for instances of `SecureActionBase' and then call the security
methods.
Like so:

   protected ActionForward processActionPerform(Action action,
 ActionMapping mapping,
 ActionForm formInstance,
 HttpServletRequest request,
 HttpServletResponse
response)
throws IOException, ServletException
{
 

if ( action instanceof SecureBaseAction ) {
SecureBaseAction baseAction = (SecureBaseAction)action;
 ...

if ( baseAction.isSecureAction() ) { // This action needs
security
 
ActionForward fwd = baseAction.checkUserSecurityAccess(
context, mapping, request );
if ( fwd != null ) {
// Redirect to login screen or other warning page
return fwd;
}
 // Otherwise we are authenticated, continue
}
 ... // pre-process checking U desire

ActionForward forward = action.perform(mapping, formInstance,
request, response);

 ... // post -process checking U desire
return forward;
}


--
Peter Pilgrim ++44 (0)207-545-9923
  //_\\
"Mathematics is essentially the study of islands of  ===
disparate subjects in a sea of ignorance."   || ! ||
Andrew Wiles _


 Message History



From: "Scott Watson" <[EMAIL PROTECTED]> on 02/11/2001 10:44 EST


My appologies for asking something that has probablly been asked and
answered before, however, I wasn't able to find the answer in
my searches.

How do you force someone to login before being allowed to access your
application.  It doesn't seem right to code this in each
action class.

Is it possible to search the archives for this list like the SERVLET and the
JSP lists?

Thanks
Scott.



--

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.



--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

Re: Force login...

2001-11-02 Thread Peter Pilgrim 



To do it properly you have to:

(1) Write a abstract base class, say `SecureActionBase' that provide security methods
"checkLogon()". Write a default implementation of `checkLogin' that subclasser can
override. If no user is not longer return an action mapping forward that redirects
to the "login". Otherwise let the user continue.

(2) Borrow the `CheckLoginTag' from the Struts example and use it as it is, or modify 
it.
You put the checklogin tag at the beginning of your JSPs.

(3) Extend the Struts ActionServlet with a custom class for your project that will 
enable you
to look for instances of `SecureActionBase' and then call the security methods.
Like so:

   protected ActionForward processActionPerform(Action action,
 ActionMapping mapping,
 ActionForm formInstance,
 HttpServletRequest request,
 HttpServletResponse response)
throws IOException, ServletException
{
 

if ( action instanceof SecureBaseAction ) {
SecureBaseAction baseAction = (SecureBaseAction)action;
 ...

if ( baseAction.isSecureAction() ) { // This action needs security
 
ActionForward fwd = baseAction.checkUserSecurityAccess(
context, mapping, request );
if ( fwd != null ) {
// Redirect to login screen or other warning page
return fwd;
}
 // Otherwise we are authenticated, continue
}
 ... // pre-process checking U desire

ActionForward forward = action.perform(mapping, formInstance, request, 
response);

 ... // post -process checking U desire
return forward;
}


--
Peter Pilgrim ++44 (0)207-545-9923
  //_\\
"Mathematics is essentially the study of islands of  ===
disparate subjects in a sea of ignorance."   || ! ||
Andrew Wiles _


 Message History 



From: "Scott Watson" <[EMAIL PROTECTED]> on 02/11/2001 10:44 EST


My appologies for asking something that has probablly been asked and answered before, 
however, I wasn't able to find the answer in
my searches.

How do you force someone to login before being allowed to access your application.  It 
doesn't seem right to code this in each
action class.

Is it possible to search the archives for this list like the SERVLET and the JSP lists?

Thanks
Scott.



--

This e-mail may contain confidential and/or privileged information. If you are not the 
intended recipient (or have received this e-mail in error) please notify the sender 
immediately and destroy this e-mail. Any unauthorized copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.



--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: Force login...

2001-11-02 Thread Martin Samm 

a common method is to insert a custom tag on each page and 
a) checks the session, say, for a suitable attribute and value
b) presents a login / redirects to login if no such value is found

On Friday 02 Nov 2001 3:44 pm, you wrote:
> My appologies for asking something that has probablly been asked and
> answered before, however, I wasn't able to find the answer in my searches.
>
> How do you force someone to login before being allowed to access your
> application.  It doesn't seem right to code this in each action class.
>
> Is it possible to search the archives for this list like the SERVLET and
> the JSP lists?
>
> Thanks
> Scott.

-- 
Martin Samm MSc, Bsc Hons

http://www.readingroom.com
Winner : Best Business to Business Website 2000-01
(Internet Business Awards sponsored by ntl)

Reading Room Ltd.
77 Dean Street
Soho
London
W1D 3SH
UK

Tel: +44 (0) 20 7734 9499
Fax: +44 (0) 20 7739 4190

The information transmitted is intended only for the person or entity to 
which it is addressed and may contain confidential and/or privileged 
material.  Any review, re-transmission, dissemination or other use of, or 
taking of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited.  If you received 
this in error, please contact the sender and delete the material from any 
computer.


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: Force login...

2001-11-02 Thread Matt Raible 

In my opinion, the best method to use is container-managed authentication.  You
can set this up via your web.xml file and protect your struts action class
(*.do).

http://www.onjava.com/pub/a/onjava/2001/08/06/webform.html

Matt

--- Princeton Lau <[EMAIL PROTECTED]> wrote:
> Scott,
> 
> Check out the Struts sample app, it has two features that could solve your
> problem.  
> 
> Firstly, it has a login form and action.  The sample app checks against an
> XML file for a list of users, but you could code the action to access a
> business object that verifies the username and password.  If the lookup
> fails, then return them to the login page with an error.
> 
> It also has a custom tag, checklogin , to ensure that the user has logged
> in before doing anything.  Just place this tag in your JSPs and if the user
> isn't logged in yet, it will return them to the login page.
> 
> HTH,
> 
> Princeton
> 
> -Original Message-
> From: Scott Watson [mailto:[EMAIL PROTECTED]]
> Sent: Friday, November 02, 2001 8:45 AM
> To: Struts Users Mailing List
> Subject: Force login...
> 
> 
> My appologies for asking something that has probablly been asked and
> answered before, however, I wasn't able to find the answer in
> my searches.
> 
> How do you force someone to login before being allowed to access your
> application.  It doesn't seem right to code this in each
> action class.
> 
> Is it possible to search the archives for this list like the SERVLET and the
> JSP lists?
> 
> Thanks
> Scott.
> 
> 
> --
> To unsubscribe, e-mail:
> 
> For additional commands, e-mail:
> 
> 
> 
> 
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 
> 


__
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: Force login...

2001-11-02 Thread Princeton Lau 

Scott,

Check out the Struts sample app, it has two features that could solve your
problem.  

Firstly, it has a login form and action.  The sample app checks against an
XML file for a list of users, but you could code the action to access a
business object that verifies the username and password.  If the lookup
fails, then return them to the login page with an error.

It also has a custom tag, checklogin , to ensure that the user has logged
in before doing anything.  Just place this tag in your JSPs and if the user
isn't logged in yet, it will return them to the login page.

HTH,

Princeton

-Original Message-
From: Scott Watson [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 02, 2001 8:45 AM
To: Struts Users Mailing List
Subject: Force login...


My appologies for asking something that has probablly been asked and
answered before, however, I wasn't able to find the answer in
my searches.

How do you force someone to login before being allowed to access your
application.  It doesn't seem right to code this in each
action class.

Is it possible to search the archives for this list like the SERVLET and the
JSP lists?

Thanks
Scott.


--
To unsubscribe, e-mail:

For additional commands, e-mail:




--
To unsubscribe, e-mail:   
For additional commands, e-mail: