You could also consider a servlet filter, to prevent the user from even getting to the RequestProcessor in the first place:
Javadoc: http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/Filter.html -----Original Message----- From: Jamal Najmi [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 7:51 PM To: [EMAIL PROTECTED] Subject: blocking unauthorized users I have over-ridden the method RequestProcessor.processPreprocess() inorder to block users trying to access the website resources, I am developing, without logging in. This is how I have done it: protected boolean processPreprocess(HttpServletRequest request, HttpServletResponse response){ System.out.println("Preprocess"); boolean continueProcessing = true ; HttpSession session = request.getSession(false) ; String loginParamValue = (String)request.getParameter("submit") ; if ( "Login".equals(loginParamValue) == true ) { System.out.println("Logging in"); continueProcessing = true ; } else if ( session == null ) { System.out.println("session null"); continueProcessing = false ; } else if ( session.getAttribute(Globals.USER_INFO_BEAN) == null ) { System.out.println("User bean not available") ; continueProcessing = false ; } if ( continueProcessing == false ) { ForwardConfig forward = appConfig.findForwardConfig("unauthorized") ; try { response.sendRedirect(forward.getPath()); } catch (Exception ex) { System.out.println("Ex: " + ex.getMessage()) ; } } return continueProcessing ; } I had to write the first "if" statement so that the user trying to login could atleast pass through. In the absence of it onone will ever be able to pass through. Since either the session object will be null of the user info bean will not be present in the sesion object. User info bean gets created and set after a user is successfully authenticated by the system. Now problem with this approach is that a smart user can still get to a secure page by passing the submit parameter along with the URL as follows: http://localhost:8080/sci-dam/manageUsers.do?submit=Login Obviouslt the technique I am using is not secure at all. I would like to get your opinion on what some of the methods are that I can use with the combination of Struts, Tomcat and Apache to secure a website on the Internet. This is my first time implemnting security on a website. I will really appreciate any help I can get. Jamal --------------------------------- Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
