Main problem with CMA is that its configuration is container dependent. If
your writing an app that needs to be deployed straight to many different
containers CMA can be troublesome.
btw: if you are doing your own session based security - dont - put check
tags in the JSP. Follow Niall's suggestion and hide them under WEB-INF and
go through actions to get to them.
You can put security checks for the session object in a filter, or if under
servlet 2.2 you could override the request processor to do it.

If you only need to run on one particular appserver at any moment, then CMA
is the way to go unless your requirements are really wierd. Struts
ActionMappings support specifying roles required for actions, and (unless
you override the RP) this only works with CMA.

-----Original Message-----
From: Niall Pemberton [mailto:[EMAIL PROTECTED]
Sent: Monday, 16 February 2004 12:06
To: Struts Users Mailing List; hhlow
Subject: Re: Session Validation


I'm not an expert on security but as I understand you have two choices. You
can either implement "container managed security" - where the servlet
container controls logging on and ensures that only authenticated users can
have access to the resources you specify OR you can control it yourself
within your application.

It sounds to me like your asking about the second. Typically when your
application controls security, you place something in the User's Session
when the user "logs on" to indicate that they have done so. Then in your
"Action" classes you check the session to see if they have logged on - if
not you forward them to the "logon" screen. If your jsp's are available you
also need to protect them - the struts sample used to have a tag (haven't
looked at it recently) which did the same kind of check. Alternatively you
could "hide" your jsps in the "WEB-INF" folder so that the user can't access
them directly and you don't need to do the jsp check.

The generally accepted view though is that it is better to choose the first
option - container managed security. If you use Tomcat, have a look at the
web.xml file for the Tomcat "admin" application (In Tomcat 4.1 its in the
\server\webapps\admin\WEB-INF folder). The admin app is actually a Struts
application. The <security-constraint>, <login-config> and <security-role>
sections are what controls container managed security for that app.

Tomcat "Admin" app web.xml:

http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/webapps/admin/WEB-
INF/web.xml?rev=1.8&view=auto

Niall

----- Original Message -----
From: "hhlow" <[EMAIL PROTECTED]>
To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
Sent: Monday, February 16, 2004 2:45 AM
Subject: Session Validation


> Hi,
>
> I am sorry if this question have been asked before.
> How can i check session validation? to check whether if the user is
> authenticated on each page.
> I read somewhere about Filters
> but i still do not know how to implement it.
>
> Currently I use a LoginAction to check the user details against the
database
> and then do the appropriate forwarding.
>
> Thank you
> Clement
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to