The simplest solution is probably just to use
HttpServletRequest.isRequestedSessionIdValid(). If it's valid, carry on, if
not, forward to your login page. Note that
HttpServletRequest.isRequestedSessionIdValid() will return "false" when
HttpSession.isNew() returns "true"...
if (request.isRequestedSessionIdValid()) {
chain.doFilter(request, response);
} else {
RequestDispatcher dispatcher =
request.getRequestDispatcher(this.dispatchPath);
dispatcher.forward(request, response);
}
Of course, form based authenticatin should also handle that for you...
Quoting Dakota Jack <[EMAIL PROTECTED]>:
> Hello, Amleto,
>
> I am not looking to create a timeout but to detect a session
> expiration, so that the user can be redirected to a page. I am not,
> that is, looking to get rid of people but looking to help people that
> have their session expired.
>
> Jack
>
>
> On Thu, 20 Jan 2005 17:42:55 +0100, Amleto Di Salle
> <[EMAIL PROTECTED]> wrote:
> > You can do this using request.getSession( false ) (false doesn't create
> > the session) and use the following in the tag in the web.xml.
> >
> > <session-config>
> > <session-timeout>30</session-timeout>
> > </session-config>
> > 30 are minutes
> >
> > You can set the session-timeout also in the web container (see tomcat
> > documentation).
> >
> > BR
> > /Amleto
> >
> > > -----Messaggio originale-----
> > > Da: Dakota Jack [mailto:[EMAIL PROTECTED]
> > > Inviato: giovedì 20 gennaio 2005 17.08
> > > A: Struts Users Mailing List
> > > Oggetto: Re: Session Strategy (here's a filter)
> > >
> > >
> > > I was looking for a filter that detected sessions that had
> > > expired and rerouted the request to a login or other appropriate page.
> > >
> > > Jack
> > >
> > >
> > > On Thu, 20 Jan 2005 10:53:09 -0500,
> > > [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > > > Here's the filter I use. It contains some logging that you
> > > can choose
> > > > to ignore and I also set some session attributes that I use for
> > > > navigation AFTER the re-login, to get the user back to the
> > > page they
> > > > were on or as near as possible, given only their first/last
> > > name and
> > > > password. I also included the configuration I added to my web.xml
> > > > file to activate the filter for all actions beginning with
> > > "/secure/"
> > > > Then, I added "/secure/" to all actions that should use the
> > > filter. I
> > > > did this for all actions except the following, for which it
> > > would have
> > > > introduced a pretty obvious logic error: login, register, and an
> > > > action I use to direct the user back to the page they were
> > > on before
> > > > the timeout.
> > > >
> > > > Here's the filter
> > > >
> > > **********************************************************************
> > > > *********************************
> > > >
> > > >
> > > /*********************************************************************
> > > > *******
> > > > *
> > > > * This class provides a servlet filter ensure that each
> > > request is coming
> > > > from
> > > > * an authenticated user. It also logs each servlet invocation.
> > > > *
> > > >
> > > >
> > > **********************************************************************
> > > > ******/
> > > > package schs82;
> > > >
> > > > import java.util.*;
> > > > import javax.servlet.*;
> > > > import javax.servlet.http.*;
> > > > import org.apache.struts.action.*;
> > > > import org.apache.commons.logging.Log;
> > > > import org.apache.commons.logging.LogFactory;
> > > > import java.text.DateFormat;
> > > > import schs82.*;
> > > >
> > > > public final class AuthenticationFilter implements Filter {
> > > >
> > > > private Log logger;
> > > >
> > > > public void init(javax.servlet.FilterConfig filterConfig)
> > > > throws javax.servlet.ServletException {
> > > >
> > > > logger = LogFactory.getLog("SCHS82");
> > > > }
> > > >
> > > > public void doFilter(javax.servlet.ServletRequest request,
> > > > javax.servlet.ServletResponse response,
> > > > javax.servlet.FilterChain filterChain)
> > > > throws java.io.IOException,
> > > > javax.servlet.ServletException {
> > > >
> > > > HttpServletRequest req = (HttpServletRequest)request;
> > > > HttpServletResponse resp = (HttpServletResponse)response;
> > > >
> > > > HttpSession session = req.getSession();
> > > > String firstName =
> > > (String)session.getAttribute("firstName");
> > > > String lastName = (String)session.getAttribute("lastName");
> > > > String password = (String)session.getAttribute("password");
> > > > String currentAction = req.getRequestURI();
> > > > session.setAttribute("currentAction", currentAction);
> > > > session.setAttribute("currentActionDisposition", "");
> > > > session.setAttribute("currentActionMessage", "");
> > > >
> > > > if (logger.isInfoEnabled()) {
> > > > // log each servlet invoked, date/time and user
> > > who invoked
> > > > GregorianCalendar calendar = new GregorianCalendar();
> > > > java.util.Date dateTime = calendar.getTime();
> > > > DateFormat format =
> > > > DateFormat.getDateTimeInstance(DateFormat.MEDIUM, DateFormat.LONG);
> > > > String now = format.format(dateTime);
> > > >
> > > > logger.info(" " + now
> > > > + " User: " + firstName
> > > > + " " + lastName
> > > > + ", Servlet: " + currentAction);
> > > > }
> > > >
> > > > if (session.isNew()) {
> > > > // session timed-out
> > > > session.setAttribute("currentActionDisposition",
> > > > "sessionTimeout");
> > > > session.setAttribute("currentActionMessage", "You were
> > > > inactive" +
> > > > " too long, so you must
> > > login again!
> > > > Please" +
> > > > " click on the button
> > > below to go to
> > > > the"
> > > > +
> > > > " login page.");
> > > >
> > > >
> > > resp.sendRedirect("/schs82/BuildActionResultViewAction.do");
> > > > }
> > > > else if (firstName == null || lastName == null ||
> > > password ==
> > > > null) {
> > > > if (logger.isInfoEnabled()) {
> > > > logger.info("NON-AUTHENTICATED USER ATTEMPTED TO
> > > > ACCESS SCHS82 "
> > > > + "APPLICATION! (Session
> > > attributes = Null)");
> > > > }
> > > > session.setAttribute("currentActionDisposition",
> > > > "systemError");
> > > > session.setAttribute("currentActionMessage", "You have
> > > > accessed" +
> > > > " SCHS82.com in a
> > > non-authorized way.
> > > > Please" +
> > > > " click on the button
> > > below to go to
> > > > the"
> > > > +
> > > > " login page.");
> > > >
> > > >
> > > resp.sendRedirect("/schs82/BuildActionResultViewAction.do");
> > > > }
> > > > else {
> > > > //authenticate user
> > > > User user = new User();
> > > > user.setFirstName(firstName);
> > > > user.setLastName(lastName);
> > > > user.setPassword(password);
> > > > if (user.checkAuthorization()) {
> > > > //user is authentic
> > > > filterChain.doFilter(request, response);
> > > > }
> > > > else {
> > > > //user is NOT authentic
> > > > if (logger.isInfoEnabled()) {
> > > > logger.info("NON-AUTHENTICATED USER
> > > ATTEMPTED TO
> > > > ACCESS "
> > > > + "SCHS82 APPLICATION! (Invalid name or
> > > > password)");
> > > > }
> > > > session.setAttribute("currentActionDisposition",
> > > > "systemError");
> > > >
> > > session.setAttribute("currentActionMessage", "You have
> > > > accessed" +
> > > > " SCHS82.com in a
> > > non-authorized
> > > > way. Please" +
> > > > " click on the button
> > > below to go
> > > > to the" +
> > > > " login page.");
> > > >
> > > > resp.sendRedirect("/schs82/BuildActionResultViewAction.do");
> > > > }
> > > > }
> > > > }
> > > >
> > > > public void destroy() {}
> > > > }
> > > >
> > > > And this must be added to web.xml
> > > >
> > > **********************************************************************
> > > > *********************************
> > > >
> > > > <filter>
> > > > <filter-name>AuthenticationFilter</filter-name>
> > > > <filter-class>schs82.AuthenticationFilter</filter-class>
> > > > </filter>
> > > >
> > > > <filter-mapping>
> > > > <filter-name>AuthenticationFilter</filter-name>
> > > > <url-pattern>/secure/*</url-pattern>
> > > > </filter-mapping>
> > > >
> > > > Dakota Jack <[EMAIL PROTECTED]>
> > > > 01/20/2005 09:53 AM
> > > > Please respond to "Struts Users Mailing List"
> > > >
> > > > To: Struts Users Mailing List <user@struts.apache.org>,
> > > > [EMAIL PROTECTED]
> > > > cc:
> > > > Subject: Re: Session Strategy
> > > >
> > > > I am also too lazy to make a filter! LOL ;-) Anyone have one of
> > > > these in their toolbox they would like to share?
> > > >
> > > > Jack
> > > >
> > > > On Thu, 20 Jan 2005 12:49:41 +0800, Andrew Hill
> > > > <[EMAIL PROTECTED]> wrote:
> > > > > Id support the filter suggestion, though for myself I
> > > generally do
> > > > > the check in the RequestProcessor, as Ive usually
> > > overrideen it to
> > > > > perform other evil anyhow, and Im lazy to make a filter.
> > > > >
> > > > > If you dont keep your JSP under WEB-INF (IMHO thats where they
> > > > > belong because they are 'code & config' , just like your
> > > > > classes,jars, and struts-config.xml and tlds) then you should
> > > > > declare some sort of security constraint so they can only
> > > be reached
> > > > > by a server side forward from their respective preperation action.
> > > > >
> > > > >
> > > > > Frank W. Zammetti wrote:
> > > > >
> > > > > > If the user clicks a button, you are either going to (a) go
> > > > > > directly
> > > > to
> > > > > > a JSP, which is generally not a good idea in a Struts-based
> > > > application
> > > > > > anyway (or any servlet-based application for that
> > > matter) or (b)
> > > > > > go to an Action, as you probably should be doing. In
> > > either case,
> > > > > > choice 1
> > > > is
> > > > > > what I would do personally. Putting things under
> > > WEB-INF as David
> > > > > > suggests works great, but it just feels kind of wrong to me.
> > > > > >
> > > > > > You'll also want to call some common code from all your Actions
> > > > > > that does the same basic check and forwards immediately to your
> > > > > > "logon
> > > > again"
> > > > > > page. I do this by means of an ActionHelpers class that has two
> > > > static
> > > > > > methods, start() and finish() that are called, as I'm sure you
> > > > > > could guess, at the start and end of all my Actions.
> > > They do some
> > > > > > common tasks, including this check.
> > > > > >
> > > > > > If you want a real solution though, externalize your security
> > > > > > using something like Netegrity Siteminder. It will
> > > deal with this
> > > > > > situation for you, in a theoretically more secure
> > > fashion than you
> > > > > > could
> > > > probably
> > > > > > do on your own.
> > > > > >
> > > > > > Yet another idea is a filter that will check if a
> > > session is alive
> > > > > > and redirect as appropriate. This I believe can work no matter
> > > > > > what your request is to (Action or JSP directly), or any other
> > > > > > resource,
> > > > assuming
> > > > > > the app server serves everything.
> > > > > >
> > > > >
> > > > >
> > > --------------------------------------------------------------------
> > > > > -
> > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > >
> > > > >
> > > >
> > > > --
> > > > ------------------------------
> > > >
> > > > "You can lead a horse to water but you cannot make it float on its
> > > > back."
> > > >
> > > > ~Dakota Jack~
> > > >
> > > > "You can't wake a person who is pretending to be asleep."
> > > >
> > > > ~Native Proverb~
> > > >
> > > > "Each man is good in His sight. It is not necessary for
> > > eagles to be
> > > > crows."
> > > >
> > > > ~Hunkesni (Sitting Bull), Hunkpapa Sioux~
> > > >
> > > > -----------------------------------------------
> > > >
> > > > "This message may contain confidential and/or privileged
> > > information.
> > > > If you are not the addressee or authorized to receive this for the
> > > > addressee, you must not use, copy, disclose, or take any
> > > action based
> > > > on this message or any information herein. If you have
> > > received this
> > > > message in error, please advise the sender immediately by
> > > reply e-mail
> > > > and delete this message. Thank you for your cooperation."
> > > >
> > > >
> > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > >
> > > >
> > >
> > >
> > > --
> > > ------------------------------
> > >
> > > "You can lead a horse to water but you cannot make it float
> > > on its back."
> > >
> > > ~Dakota Jack~
> > >
> > > "You can't wake a person who is pretending to be asleep."
> > >
> > > ~Native Proverb~
> > >
> > > "Each man is good in His sight. It is not necessary for
> > > eagles to be crows."
> > >
> > > ~Hunkesni (Sitting Bull), Hunkpapa Sioux~
> > >
> > > -----------------------------------------------
> > >
> > > "This message may contain confidential and/or privileged
> > > information. If you are not the addressee or authorized to
> > > receive this for the addressee, you must not use, copy,
> > > disclose, or take any action based on this message or any
> > > information herein. If you have received this message in
> > > error, please advise the sender immediately by reply e-mail
> > > and delete this message. Thank you for your cooperation."
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > > --
> > > No virus found in this incoming message.
> > > Checked by AVG Anti-Virus.
> > > Version: 7.0.300 / Virus Database: 265.7.0 - Release Date: 17/01/2005
> > >
> > >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Anti-Virus.
> > Version: 7.0.300 / Virus Database: 265.7.0 - Release Date: 17/01/2005
> >
> >
>
>
> --
> ------------------------------
>
> "You can lead a horse to water but you cannot make it float on its back."
>
> ~Dakota Jack~
>
> "You can't wake a person who is pretending to be asleep."
>
> ~Native Proverb~
>
> "Each man is good in His sight. It is not necessary for eagles to be crows."
>
> ~Hunkesni (Sitting Bull), Hunkpapa Sioux~
--
Kris Schneider <mailto:[EMAIL PROTECTED]>
D.O.Tech <http://www.dotech.com/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
