You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Ralph vd Houdt <ra...@ezcompany.nl> on 2001/09/06 09:09:13 UTC

re-Logon after session timeout

Hi All,

I developed a struts application and re-used the checkLogon tag from the
login example from Ted Husted. It works quite well but when a client loses
the session in case of a session timeout and a new request is done the
Action is cancelled because the User object isn't in the session anymore. Is
there a possibility to:

    - route the user to the logonform. (And re-add the User object)
    - after logon, repost the initial request.
    - continue based on the initial request

Greetings Ralph.

Re: re-Logon after session timeout

Posted by Gregor Rayman <gr...@gmx.net>.

"Ralph vd Houdt" <ra...@ezcompany.nl> wrote:
> Hi Gregor,
> 
> This sound OK, Can you point me to documentation on this or give me
> additional information?
 
It is quite simple.

The "normal" login.jsp looks like this:

<form method="POST" action="j_security_check" >
Username: <input type="text" name="j_username"><br>
Password: <input type="password" name="j_password"><br> 
<br>
<input type="submit" value="login" name="j_security_check">
</form>


You would use something like this (for simplicity here pure JSP,
it can be done with Struts as well:


<form action='<%= respose.encodeUrl("/checklogin.jsp") %>' >
    User: <input name="user"><br>
    Company: <input name="company"><br>
    Password: <input name="password" type="password">
</form>

And checklogin.jsp would do something like this:

<%
  String j_username = 
    request.getParameter("company") + "/" + request.getParameter("user");
  String j_password = request.getParameter("password);
%>
<jsp:forward page='<%= "j_security_check?j_username=" + 
                        URLEncoder.encode(j_username) + 
                       "&j_password=" +
                        URLEncoder.encode(j_password) %>' /> 



Of course, the mapping logic from company+user to web-user can be 
more complex than simple concatenation with a "/" as separator.



Actually, I've never used it for such mapping. I've used it for
auto-login directly in the first login.jsp.

It checks to see, whether the user can be identified by a cookie and 
tries to retrieve the username/password from a database. Then, instead
of displaying the login form, it directly forwards to j_security_check.


groetjes

--
gR


 
> ----- Original Message -----
> From: "Gregor Rayman" <gr...@gmx.net>
> To: <st...@jakarta.apache.org>
> Sent: Thursday, September 06, 2001 4:43 PM
> Subject: Re: re-Logon after session timeout
> 
> 
> > "Ralph vd Houdt" <ra...@ezcompany.nl> wrote:
> >
> > > Hi Jon,
> > >
> > > This is not just what I want. I want to do a login based on 3 fields
> > > company/user/password and evaluate then to an EJB. The login should put
> an
> > > object in the session.
> > >
> > > Greetings Ralph
> >
> > You can do this with form based login as well.
> > Your form would not have the action "j_security_check", it would
> > point to another action which would map the three field to the
> > two (user/password) and forward to j_security_check.
> >
> > --
> > gR
> >
> >
> >
> 
>

Re: re-Logon after session timeout

Posted by Ralph vd Houdt <ra...@ezcompany.nl>.

Hi Gregor,

This sound OK, Can you point me to documentation on this or give me
additional information?

Greetings

----- Original Message -----
From: "Gregor Rayman" <gr...@gmx.net>
To: <st...@jakarta.apache.org>
Sent: Thursday, September 06, 2001 4:43 PM
Subject: Re: re-Logon after session timeout


> "Ralph vd Houdt" <ra...@ezcompany.nl> wrote:
>
> > Hi Jon,
> >
> > This is not just what I want. I want to do a login based on 3 fields
> > company/user/password and evaluate then to an EJB. The login should put
an
> > object in the session.
> >
> > Greetings Ralph
>
> You can do this with form based login as well.
> Your form would not have the action "j_security_check", it would
> point to another action which would map the three field to the
> two (user/password) and forward to j_security_check.
>
> --
> gR
>
>
>

Re: re-Logon after session timeout

Posted by Gregor Rayman <gr...@gmx.net>.

"Ralph vd Houdt" <ra...@ezcompany.nl> wrote:

> Hi Jon,
> 
> This is not just what I want. I want to do a login based on 3 fields
> company/user/password and evaluate then to an EJB. The login should put an
> object in the session.
> 
> Greetings Ralph

You can do this with form based login as well. 
Your form would not have the action "j_security_check", it would 
point to another action which would map the three field to the
two (user/password) and forward to j_security_check.

--
gR

Re: re-Logon after session timeout

Posted by Ralph vd Houdt <ra...@ezcompany.nl>.

Hi Jon,

This is not just what I want. I want to do a login based on 3 fields
company/user/password and evaluate then to an EJB. The login should put an
object in the session.

Greetings Ralph

----- Original Message -----
From: "Jon Brisbin" <br...@ipa.net>
To: <st...@jakarta.apache.org>
Sent: Thursday, September 06, 2001 4:20 PM
Subject: Re: re-Logon after session timeout


> this sounds like you're wanting to use Tomcat's role-based
> authentication...if you look in the example webapp that comes with the
> tomcat distro, you can find settings in web.xml that set up a secure
> area...if you edit tomcat's server.xml file and find the "Realm" stuff,
you
> can set up an authentication scheme that uses a form-based login...
>
> if you protect urls of say "/member/whatever" then when anyone requests
> "/member/whatever/stuff?query-string" then if they're not logged in, it
> forwards them to your login page, then if successful sends the to whatever
> they originally requested...
>
> this functionality is part of tomcat and requires no extra code on your
> part...
>
> jb
>
> ----- Original Message -----
> From: "Ralph vd Houdt" <ra...@ezcompany.nl>
> To: <st...@jakarta.apache.org>
> Sent: Thursday, September 06, 2001 9:18 AM
> Subject: Re: re-Logon after session timeout
>
>
> > Too bad, I'm using Tomcat 3.2.2 together with JBoss.
> >
> > Keep me in touch with your development it sound good.
> >
> > Greetings Ralph
> >
> > ----- Original Message -----
> > From: "Erik Hatcher" <er...@earthlink.net>
> > To: <st...@jakarta.apache.org>
> > Sent: Thursday, September 06, 2001 3:29 PM
> > Subject: Re: re-Logon after session timeout
> >
> >
> > > I'm accomplishing this very thing using Resin's Servlet 2.3 Filter
> > support.
> > > The filter determines the user is not logged in, saves the requesting
> URI
> > in
> > > a session attribute, and forwards to the login page.   The login
action
> > > checks for the existence of the session attribute with the saved URI
and
> > > forwards to that upon a successful login.
> > >
> > > I'm sure it could be done in a Servlet 2.2 environment also, but would
> > > require more effort.
> > >
> > >     Erik
> > >
> > >
> > > ----- Original Message -----
> > > From: "Ralph vd Houdt" <ra...@ezcompany.nl>
> > > To: <st...@jakarta.apache.org>
> > > Sent: Thursday, September 06, 2001 12:09 AM
> > > Subject: re-Logon after session timeout
> > >
> > >
> > > > Hi All,
> > > >
> > > > I developed a struts application and re-used the checkLogon tag from
> the
> > > > login example from Ted Husted. It works quite well but when a client
> > loses
> > > > the session in case of a session timeout and a new request is done
the
> > > > Action is cancelled because the User object isn't in the session
> > anymore.
> > > Is
> > > > there a possibility to:
> > > >
> > > >     - route the user to the logonform. (And re-add the User object)
> > > >     - after logon, repost the initial request.
> > > >     - continue based on the initial request
> > > >
> > > > Greetings Ralph.
> > > >
> > > >
> > >
> > >
> > >
> >
> >
>
>
>

Re: re-Logon after session timeout

Posted by Jon Brisbin <br...@ipa.net>.

this sounds like you're wanting to use Tomcat's role-based
authentication...if you look in the example webapp that comes with the
tomcat distro, you can find settings in web.xml that set up a secure
area...if you edit tomcat's server.xml file and find the "Realm" stuff, you
can set up an authentication scheme that uses a form-based login...

if you protect urls of say "/member/whatever" then when anyone requests
"/member/whatever/stuff?query-string" then if they're not logged in, it
forwards them to your login page, then if successful sends the to whatever
they originally requested...

this functionality is part of tomcat and requires no extra code on your
part...

jb

----- Original Message -----
From: "Ralph vd Houdt" <ra...@ezcompany.nl>
To: <st...@jakarta.apache.org>
Sent: Thursday, September 06, 2001 9:18 AM
Subject: Re: re-Logon after session timeout


> Too bad, I'm using Tomcat 3.2.2 together with JBoss.
>
> Keep me in touch with your development it sound good.
>
> Greetings Ralph
>
> ----- Original Message -----
> From: "Erik Hatcher" <er...@earthlink.net>
> To: <st...@jakarta.apache.org>
> Sent: Thursday, September 06, 2001 3:29 PM
> Subject: Re: re-Logon after session timeout
>
>
> > I'm accomplishing this very thing using Resin's Servlet 2.3 Filter
> support.
> > The filter determines the user is not logged in, saves the requesting
URI
> in
> > a session attribute, and forwards to the login page.   The login action
> > checks for the existence of the session attribute with the saved URI and
> > forwards to that upon a successful login.
> >
> > I'm sure it could be done in a Servlet 2.2 environment also, but would
> > require more effort.
> >
> >     Erik
> >
> >
> > ----- Original Message -----
> > From: "Ralph vd Houdt" <ra...@ezcompany.nl>
> > To: <st...@jakarta.apache.org>
> > Sent: Thursday, September 06, 2001 12:09 AM
> > Subject: re-Logon after session timeout
> >
> >
> > > Hi All,
> > >
> > > I developed a struts application and re-used the checkLogon tag from
the
> > > login example from Ted Husted. It works quite well but when a client
> loses
> > > the session in case of a session timeout and a new request is done the
> > > Action is cancelled because the User object isn't in the session
> anymore.
> > Is
> > > there a possibility to:
> > >
> > >     - route the user to the logonform. (And re-add the User object)
> > >     - after logon, repost the initial request.
> > >     - continue based on the initial request
> > >
> > > Greetings Ralph.
> > >
> > >
> >
> >
> >
>
>

Re: re-Logon after session timeout

Posted by Ralph vd Houdt <ra...@ezcompany.nl>.

Too bad, I'm using Tomcat 3.2.2 together with JBoss.

Keep me in touch with your development it sound good.

Greetings Ralph

----- Original Message -----
From: "Erik Hatcher" <er...@earthlink.net>
To: <st...@jakarta.apache.org>
Sent: Thursday, September 06, 2001 3:29 PM
Subject: Re: re-Logon after session timeout


> I'm accomplishing this very thing using Resin's Servlet 2.3 Filter
support.
> The filter determines the user is not logged in, saves the requesting URI
in
> a session attribute, and forwards to the login page.   The login action
> checks for the existence of the session attribute with the saved URI and
> forwards to that upon a successful login.
>
> I'm sure it could be done in a Servlet 2.2 environment also, but would
> require more effort.
>
>     Erik
>
>
> ----- Original Message -----
> From: "Ralph vd Houdt" <ra...@ezcompany.nl>
> To: <st...@jakarta.apache.org>
> Sent: Thursday, September 06, 2001 12:09 AM
> Subject: re-Logon after session timeout
>
>
> > Hi All,
> >
> > I developed a struts application and re-used the checkLogon tag from the
> > login example from Ted Husted. It works quite well but when a client
loses
> > the session in case of a session timeout and a new request is done the
> > Action is cancelled because the User object isn't in the session
anymore.
> Is
> > there a possibility to:
> >
> >     - route the user to the logonform. (And re-add the User object)
> >     - after logon, repost the initial request.
> >     - continue based on the initial request
> >
> > Greetings Ralph.
> >
> >
>
>
>

Re: re-Logon after session timeout

Posted by Erik Hatcher <er...@earthlink.net>.

I'm accomplishing this very thing using Resin's Servlet 2.3 Filter support.
The filter determines the user is not logged in, saves the requesting URI in
a session attribute, and forwards to the login page.   The login action
checks for the existence of the session attribute with the saved URI and
forwards to that upon a successful login.

I'm sure it could be done in a Servlet 2.2 environment also, but would
require more effort.

    Erik


----- Original Message -----
From: "Ralph vd Houdt" <ra...@ezcompany.nl>
To: <st...@jakarta.apache.org>
Sent: Thursday, September 06, 2001 12:09 AM
Subject: re-Logon after session timeout


> Hi All,
>
> I developed a struts application and re-used the checkLogon tag from the
> login example from Ted Husted. It works quite well but when a client loses
> the session in case of a session timeout and a new request is done the
> Action is cancelled because the User object isn't in the session anymore.
Is
> there a possibility to:
>
>     - route the user to the logonform. (And re-add the User object)
>     - after logon, repost the initial request.
>     - continue based on the initial request
>
> Greetings Ralph.
>
>