I'm not an expert on security but as I understand you have two choices. You can either implement "container managed security" - where the servlet container controls logging on and ensures that only authenticated users can have access to the resources you specify OR you can control it yourself within your application.
It sounds to me like your asking about the second. Typically when your application controls security, you place something in the User's Session when the user "logs on" to indicate that they have done so. Then in your "Action" classes you check the session to see if they have logged on - if not you forward them to the "logon" screen. If your jsp's are available you also need to protect them - the struts sample used to have a tag (haven't looked at it recently) which did the same kind of check. Alternatively you could "hide" your jsps in the "WEB-INF" folder so that the user can't access them directly and you don't need to do the jsp check. The generally accepted view though is that it is better to choose the first option - container managed security. If you use Tomcat, have a look at the web.xml file for the Tomcat "admin" application (In Tomcat 4.1 its in the \server\webapps\admin\WEB-INF folder). The admin app is actually a Struts application. The <security-constraint>, <login-config> and <security-role> sections are what controls container managed security for that app. Tomcat "Admin" app web.xml: http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/webapps/admin/WEB-INF/web.xml?rev=1.8&view=auto Niall ----- Original Message ----- From: "hhlow" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Monday, February 16, 2004 2:45 AM Subject: Session Validation > Hi, > > I am sorry if this question have been asked before. > How can i check session validation? to check whether if the user is > authenticated on each page. > I read somewhere about Filters > but i still do not know how to implement it. > > Currently I use a LoginAction to check the user details against the database > and then do the appropriate forwarding. > > Thank you > Clement > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
