Hi All,
The best way to check if a user is logged in, is to use what's provided for free by your web container. If you are using Tomcat you can use FORM based auth. Check the sun specs for details. Depending on your web container and your needs you may also have to manually check that the user is logged in; if for example you wish to address the user with there first name and configure your interactions with them based upon their preferences. In this case you would something similar to the tag below on your secure pages and use the username to lookup the user details. If you have a large number of users the fastest way to lookup their details is via LDAP. Your average site can get away with a database. Jon Ridgway -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 06 December 2001 06:58 To: Struts Users Mailing List Subject: Re: AW: Want to check user is logged in every page server Hi I have used some code similar to your example. Now a couple of questions 1. How hard is it for someone to fake a session? Does tomcat keep inside it a valid list of all current sessions and if a fake one turns up it throws and exception. 2. Is there any point in checking in a database or somewhere to check to see if the user is currently logged on? Where else could it possibly check if database access is to slow/or big overhead(or is it?can it check a java server somewhere perhaps? 3. Is this the best way to do things from a security point of view? What security issues are there? Cheers Tony Mooslechner Martin wrote: > You can do this with a custom tag > > <custom:checkLogonTag/> > > of course you also need to implement this tag. > this is what actually does the job: > public int doEndTag() throws JspException { > > // Is there a valid user logged on? > boolean valid = false; > HttpSession session = pageContext.getSession(); > if ((session != null) && (session.getAttribute(name) != null)) > valid = true; > > // Forward control based on the results > if (valid) > return (EVAL_PAGE); > else { > try { > pageContext.forward(page); > } catch (Exception e) { > throw new JspException(e.toString()); > } > return (SKIP_PAGE); > } > > } > > Take a look at the example Mailserver application that comes with Struts. > > -----Ursprungliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Gesendet: Dienstag, 20. November 2001 10:42 > An: Struts Users Mailing List > Betreff: Want to check user is logged in every page server > > > Hi > > Everytime a page is served from my Struts application, I want to check > to make sure the user is logged in. If they are not then I want to send > them to the login screen. What is the best way to go about this using > Struts? > > Cheers > > Tony > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
