That sounds like a good idea to me....so, this Authentication Filter is sort of like a "servlet firewall"?
Hmmm...so you implement javax.servlet.Filter such that an unauthenticated user is routed to a login page, and after login the assigned session ids are then stored in the servlet context for subsequent authentications. Then I suppose you configure the filter (in the deployment descriptor) for the Struts controller servlet and any other non-Struts servlets or resources you may have and wish to enforce authentication on. Neat. Are there any "gotchas" for Struts other frameworks when using Filters? --joe -----Original Message----- From: Sean Willson [mailto:[EMAIL PROTECTED]] Sent: Monday, March 11, 2002 5:53 PM To: Struts Users Mailing List Subject: Re: Session management in Struts We accomplished this by writing an Authentication Filter that sits in front of all requests to the servlet container. The problem with putting it in a Struts Action and then subclassing that (which we did do at one time) is that you can only then protect things going through Struts. Which in itself isn't a problem IF that's the only framework you plan on using to route eventing in your web application. If however you have other needs I recommend looking into writing a filter. You can do anything from creation of a session, setting session/request and accessing application scoped variables from within the filter itself. Sean ----- Original Message ----- From: "Mark Glass" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Monday, March 11, 2002 3:07 PM Subject: Session management in Struts I'm developing a web application in Struts that requires a user to have a session before they can use the application. Currently anyone can bypass the logon and use the application. I would like the user to be required to login first. I am saving the user info to session when the user logs in and testing the session for this attribute before allowing them to use the functionality, however this does not work. Can anyone point me to a paper or tutorial or example which will show me how to do this properly? Thanks much in advance, Mark -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>