Shiraz Wasim Zaidi wrote:
> Hi!,
>
> I have just started working with the struts framework and like it a lot.
> I have a question about idletimeout handling. The only way i can handle it
> now is to do an idle timeout check at the start of perform method of my
> action classes.
> I cannot rely on getSession(false) check as i wont get a null session in
> case i have a
> session scoped form asscoiated with the mapping. I can check for some
> attribute say user
> profile that i bind to the session in the Authenticating action class.
>
Even if the controller servlet calls getSession() for you (as it does when you
have a session-scoped ActionForm bean), it is still quite easy to check for
expired sessions.
When you initially log a user on, store an object specific to that user in the
session (the Struts example application stores an instance of the User class).
Then, if a new session got created for you, this object will be missing -- so
you can easily detect that this happened.
If you want such a check on every single request sent to the controller servlet,
you might consider subclassing the controller servlet and adding your own custom
check at the appropriate point.
> Is there someother way idle timeouts can be handled then doing it repeatedly
> in almost every action class?
>
Don't forget to check in your JSP pages as well -- in case the user bookmarks a
page and then returns to it directly, rather than through the controller
servlet.
The Struts example application includes an application-specific custom tag
(<app:checkLogon>) that makes exactly this sort of a check.
>
> Appreciate any response.
>
A completely different approach is to use container-managed security, as
described in the Servlet API Specification
<http://java.sun.com/products/servlet/download.html>. Here, you are relying on
the servlet container to manage user logon, so that you do not have to check
anything on a per-request basis.
>
> Thanks,
> Shiraz
Craig McClanahan
