Thanks for the detailed reply, i fear we don't know much about Spring frame work but can use the approach for our application
other suggestions are also most welcomed On Mon, Dec 15, 2008 at 5:26 PM, Fogleson, Allen < allen.fogle...@daugherty.com> wrote: > We have a similar system of application security. What we do is create > session scoped user object in our spring application.xml, then use a servlet > filter to see if the user is there. The servlet filter redirects to > login.action if the user is attempting to access a protected resource. Here > are some snippets... > > Application.xml > > <bean id="user" class="com.company.entities.User" scope="session" /> > > User.java > .. > Just a standard user kind of thing.. username, password, first, last, etc. > > Login.java (mapped to /login.action) > /** > * Check the passed in username and password. If a user exists then > forward > * based on role, otherwise forward to the error (login) page. > */ > public String executeAction() throws Exception { > if ((this.getUser() == null || this.getUser().getUsername() == null) && > (userName != null && userName.trim().length() > 0 && password != null && > password.trim().length() > 0)) { > User u = loginFacade.login(this.userName, this.password); > if (u != null && u.getEnabled()) { > this.getUser().setEnabled(u.getEnabled()); > this.getUser().setEmail(u.getEmail()); > this.getUser().setExternallyDefined(u.getExternallyDefined()); > this.getUser().setFullName(u.getFullName()); > this.getUser().setId(u.getId()); > this.getUser().setPassword(u.getPassword()); > this.getUser().setUsername(u.getUsername()); > this.getUser().setRoles(u.getRoles()); > } > else { > // If we haven't found you then you are not a user. > return ERROR; > } > } > .. we do our role based stuff here... > } > > The important thing to note is that we populate the user instead of trying > to do a session.setAttribute... > > UserAwareBaseAction.java - All actions extend this so they have access to > the user. In our case we only have a couple pages that are not protected and > don't need to extend this. In general we still extend it so that > executeAction() becomes the method to implement instead of execute(). > > public abstract class UserAwareBaseAction extends ActionSupport { > > private User user; > protected String SUCCESS = "success"; > protected String FAILURE = "failure"; > protected String ERROR = "error"; > > public User getUser() { > return user; > } > > public void setUser(User user) { > this.user = user; > } > > /** > * > * Delegate to executeAction since this is an abstract class. > * > */ > public String execute() throws Exception { > // if(getUser() == null || getUser().getUsername() == null) { > // return "loginPage"; > // } > return executeAction(); > } > > public abstract String executeAction() throws Exception; > } > > ServletFilter... > > public void doFilter(ServletRequest request, ServletResponse response, > FilterChain chain) throws IOException, ServletException { > HttpServletRequest req = (HttpServletRequest) request; > User user = (User) req.getSession(true).getAttribute("user"); > String uri = req.getRequestURI(); > if (isProtectedUri(uri) && (user == null || user.getUserName() == null)) > { > ((HttpServletResponse) response).sendRedirect("login.action"); > } > else { > chain.doFilter(request, response); > } > } > > public void doFilter(ServletRequest request, ServletResponse response, > FilterChain chain) throws IOException, ServletException { > HttpServletRequest req = (HttpServletRequest) request; > User user = (User) req.getSession(true).getAttribute("user"); > String uri = req.getRequestURI(); > if (isProtectedUri(uri) && user == null) { > ((HttpServletResponse) response).sendRedirect("login.action"); > } > else { > chain.doFilter(request, response); > } > } > > /** > * We could do this differently but since we only have a couple of pages > * unprotected it is just as easy to do it with the if. Really this should > * query a db, or properties file or the like to get unprotected > resources. > * > */ > private boolean isProtectedUri(String uri) { > if (uri.contains(".css") || uri.contains(".js") || > uri.contains("login.action") || ... ) { > return false; > } > return true; > } > } > > Logout.java - this is how we log someone out > public class LogoutAction extends UserAwareBaseAction { > > /** > * Since user is a session variable simply clear out the pertinent info > and > * the filter will force a new login. > */ > public String executeAction() throws Exception { > try { > this.getUser().setUsername(null); > } > catch (Exception e) { > return ERROR; > } > return SUCCESS; > } > } > > Only thing to note is that we set the username to null - we can't remove > the user from the session since it is a spring session scoped bean. Setting > the username to null makes sure the next request for a protected page fails. > > > HTH > > Allen Fogleson > > -----Original Message----- > From: shekher awasthi [mailto:shekher.awas...@gmail.com] > Sent: Monday, December 15, 2008 3:55 AM > To: Struts Users Mailing List > Subject: Application based Security > > Hi All, > > We are developing an application based on Struts2 framework. We are on way > to develop application based security so that the unauthorized user can not > access the secure area,it needs the request to be from the authorized > person.We can have the Below mentioed approach > > 1) For Secure area the user must be logged in to the ysystem and have > authorization for accessing that > 2) For every request coming to the secured region, we need to put the check > if the user is a valid one or not. > > We cab think of the functionality which checks for the icoming request for > its authentication and permits only authenticated request. > > I need your suggestion about the approach we can follow in struts2 so that > we can achieve the above mentioed points and also maintenance and > enterprise > integration will be area of concern. > > IF any one have worked or working on similar area pleaes share his/her view > how to achieve that here in struts2 > > Thanks in advance > shekher > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >