Hi Andreas,
Am 25.01.2009 um 02:53 schrieb Andreas Mähler:
Thank you, Dave.
I think Martin misunderstood me. I was planning to store everything
in the session anyway. What I would like to know is _what_ I have to
store and _how_ to invoke the right action later in order to make
the login stuff transparent.
Hint: storing *everything* into the session might be unwise in some
circumstances, as all resources on a server are limited, even cheap
memory.
So you want a login page displayed when a user accesses a secured are
an the application and show the correct page after successful
authentication. There are several ways to do this with struts. I would
use a simple redirect result as long as you have to deal with HTTP-
GETs only, as it's pretty hard to redirect a POST. I have not tried it
but should work like this:
- Create a global result[1] which leads to the login page.
- When your interceptor thinks a login is required, store the
requested URL to the session and return the global login result from
your interceptor.
- When the login action ends successfully, if an URL is in the
session, redirect to it using a simple redirect result with a
parametrized url [2].
As for POSTs, even if I don't like it, you should be able to store
action, namespace, method and the parameters of the ActionInvocation
to the session and retrieve them later to invoke the action via chain
result. Using chain result at all is discouraged anyway[3].
I think this is not necessary: the usual use-case here is a user has
clicked on a deep-link into the application (form a bookmark,
newsletter or who-knows-where) and needs to be authorized first. For
his convenience we want to get him to the page he wanted directly
after the login. Whether this fits for your application, I don't know.
Cheers,
-Ralf
[1]
http://struts.apache.org/2.0.11.1/docs/result-configuration.html#ResultConfiguration-GlobalResults
[2] http://struts.apache.org/2.1.6/docs/redirect-result.html
[3] http://struts.apache.org/2.1.6/docs/action-chaining.html
Maybe I am also going to check out Spring Security, as Wes
suggested, but ATM I am using my own little
AuthenticationInterceptor that supplies every Action (if desired)
with the UserLogin-bean and redirects to the login-action if the
bean is mandatory (indicated by annotation). It's working nicely,
and I would like to keep it :-)
Greetings,
~Andreas
Dave Newton schrieb:
Martin Gainty wrote:
1)store in db
2)if static.. place in properties file
3)you can use OGNL to place values into 'application' scope
...
3) Seems like 'session' would be more appropriate since we're
talking about storing an individual user's request, to be re-used
after a login. And it would be put into session by the interceptor
that checked if the user was logged in, which wouldn't do it via
OGNL.
2) It's unlikely a user's request would be known in advance.
1) I can't think of any reason why I'd want to store the request in
a DB since it only needs to persist over login attempts.
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org