Main problem with CMA is that its configuration is container dependent. If your writing an app that needs to be deployed straight to many different containers CMA can be troublesome. btw: if you are doing your own session based security - dont - put check tags in the JSP. Follow Niall's suggestion and hide them under WEB-INF and go through actions to get to them. You can put security checks for the session object in a filter, or if under servlet 2.2 you could override the request processor to do it.
If you only need to run on one particular appserver at any moment, then CMA is the way to go unless your requirements are really wierd. Struts ActionMappings support specifying roles required for actions, and (unless you override the RP) this only works with CMA. -----Original Message----- From: Niall Pemberton [mailto:[EMAIL PROTECTED] Sent: Monday, 16 February 2004 12:06 To: Struts Users Mailing List; hhlow Subject: Re: Session Validation I'm not an expert on security but as I understand you have two choices. You can either implement "container managed security" - where the servlet container controls logging on and ensures that only authenticated users can have access to the resources you specify OR you can control it yourself within your application. It sounds to me like your asking about the second. Typically when your application controls security, you place something in the User's Session when the user "logs on" to indicate that they have done so. Then in your "Action" classes you check the session to see if they have logged on - if not you forward them to the "logon" screen. If your jsp's are available you also need to protect them - the struts sample used to have a tag (haven't looked at it recently) which did the same kind of check. Alternatively you could "hide" your jsps in the "WEB-INF" folder so that the user can't access them directly and you don't need to do the jsp check. The generally accepted view though is that it is better to choose the first option - container managed security. If you use Tomcat, have a look at the web.xml file for the Tomcat "admin" application (In Tomcat 4.1 its in the \server\webapps\admin\WEB-INF folder). The admin app is actually a Struts application. The <security-constraint>, <login-config> and <security-role> sections are what controls container managed security for that app. Tomcat "Admin" app web.xml: http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/webapps/admin/WEB- INF/web.xml?rev=1.8&view=auto Niall ----- Original Message ----- From: "hhlow" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Monday, February 16, 2004 2:45 AM Subject: Session Validation > Hi, > > I am sorry if this question have been asked before. > How can i check session validation? to check whether if the user is > authenticated on each page. > I read somewhere about Filters > but i still do not know how to implement it. > > Currently I use a LoginAction to check the user details against the database > and then do the appropriate forwarding. > > Thank you > Clement > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
