Thanks for the detailed reply, i fear we don't know much about Spring frame
work but can use the approach for our application
other suggestions are also most welcomed
On Mon, Dec 15, 2008 at 5:26 PM, Fogleson, Allen <
allen.fogle...@daugherty.com> wrote:
> We have a similar system of application security. What we do is create
> session scoped user object in our spring application.xml, then use a servlet
> filter to see if the user is there. The servlet filter redirects to
> login.action if the user is attempting to access a protected resource. Here
> are some snippets...
>
> Application.xml
>
> <bean id="user" class="com.company.entities.User" scope="session" />
>
> User.java
> ..
> Just a standard user kind of thing.. username, password, first, last, etc.
>
> Login.java (mapped to /login.action)
> /**
> * Check the passed in username and password. If a user exists then
> forward
> * based on role, otherwise forward to the error (login) page.
> */
> public String executeAction() throws Exception {
> if ((this.getUser() == null || this.getUser().getUsername() == null) &&
> (userName != null && userName.trim().length() > 0 && password != null &&
> password.trim().length() > 0)) {
> User u = loginFacade.login(this.userName, this.password);
> if (u != null && u.getEnabled()) {
> this.getUser().setEnabled(u.getEnabled());
> this.getUser().setEmail(u.getEmail());
> this.getUser().setExternallyDefined(u.getExternallyDefined());
> this.getUser().setFullName(u.getFullName());
> this.getUser().setId(u.getId());
> this.getUser().setPassword(u.getPassword());
> this.getUser().setUsername(u.getUsername());
> this.getUser().setRoles(u.getRoles());
> }
> else {
> // If we haven't found you then you are not a user.
> return ERROR;
> }
> }
> .. we do our role based stuff here...
> }
>
> The important thing to note is that we populate the user instead of trying
> to do a session.setAttribute...
>
> UserAwareBaseAction.java - All actions extend this so they have access to
> the user. In our case we only have a couple pages that are not protected and
> don't need to extend this. In general we still extend it so that
> executeAction() becomes the method to implement instead of execute().
>
> public abstract class UserAwareBaseAction extends ActionSupport {
>
> private User user;
> protected String SUCCESS = "success";
> protected String FAILURE = "failure";
> protected String ERROR = "error";
>
> public User getUser() {
> return user;
> }
>
> public void setUser(User user) {
> this.user = user;
> }
>
> /**
> *
> * Delegate to executeAction since this is an abstract class.
> *
> */
> public String execute() throws Exception {
> // if(getUser() == null || getUser().getUsername() == null) {
> // return "loginPage";
> // }
> return executeAction();
> }
>
> public abstract String executeAction() throws Exception;
> }
>
> ServletFilter...
>
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain chain) throws IOException, ServletException {
> HttpServletRequest req = (HttpServletRequest) request;
> User user = (User) req.getSession(true).getAttribute("user");
> String uri = req.getRequestURI();
> if (isProtectedUri(uri) && (user == null || user.getUserName() == null))
> {
> ((HttpServletResponse) response).sendRedirect("login.action");
> }
> else {
> chain.doFilter(request, response);
> }
> }
>
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain chain) throws IOException, ServletException {
> HttpServletRequest req = (HttpServletRequest) request;
> User user = (User) req.getSession(true).getAttribute("user");
> String uri = req.getRequestURI();
> if (isProtectedUri(uri) && user == null) {
> ((HttpServletResponse) response).sendRedirect("login.action");
> }
> else {
> chain.doFilter(request, response);
> }
> }
>
> /**
> * We could do this differently but since we only have a couple of pages
> * unprotected it is just as easy to do it with the if. Really this should
> * query a db, or properties file or the like to get unprotected
> resources.
> *
> */
> private boolean isProtectedUri(String uri) {
> if (uri.contains(".css") || uri.contains(".js") ||
> uri.contains("login.action") || ... ) {
> return false;
> }
> return true;
> }
> }
>
> Logout.java - this is how we log someone out
> public class LogoutAction extends UserAwareBaseAction {
>
> /**
> * Since user is a session variable simply clear out the pertinent info
> and
> * the filter will force a new login.
> */
> public String executeAction() throws Exception {
> try {
> this.getUser().setUsername(null);
> }
> catch (Exception e) {
> return ERROR;
> }
> return SUCCESS;
> }
> }
>
> Only thing to note is that we set the username to null - we can't remove
> the user from the session since it is a spring session scoped bean. Setting
> the username to null makes sure the next request for a protected page fails.
>
>
> HTH
>
> Allen Fogleson
>
> -----Original Message-----
> From: shekher awasthi [mailto:shekher.awas...@gmail.com]
> Sent: Monday, December 15, 2008 3:55 AM
> To: Struts Users Mailing List
> Subject: Application based Security
>
> Hi All,
>
> We are developing an application based on Struts2 framework. We are on way
> to develop application based security so that the unauthorized user can not
> access the secure area,it needs the request to be from the authorized
> person.We can have the Below mentioed approach
>
> 1) For Secure area the user must be logged in to the ysystem and have
> authorization for accessing that
> 2) For every request coming to the secured region, we need to put the check
> if the user is a valid one or not.
>
> We cab think of the functionality which checks for the icoming request for
> its authentication and permits only authenticated request.
>
> I need your suggestion about the approach we can follow in struts2 so that
> we can achieve the above mentioed points and also maintenance and
> enterprise
> integration will be area of concern.
>
> IF any one have worked or working on similar area pleaes share his/her view
> how to achieve that here in struts2
>
> Thanks in advance
> shekher
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>
