You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Struts Newsgroup (@Basebeans.com)" <st...@basebeans.com> on 2002/08/14 06:10:02 UTC
What is a better way to check user login?
Subject: What is a better way to check user login?
From: "Hu Ji Rong" <hu...@yahoo.com>
===
Hi,
I saw various ways to check user login in Struts, but a bit confused.
CheckLogon Tag in Struts example, check user session data, overwrite the
ActionServlet, and so on. Overwrite the ActionServlet maybe also have
problem to migrate to 1.1?
Can anyone point to a right way? We have normally form based login page to
validate the user.
Thanks,
JiRong
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: What is a better way to check user login?
Posted by Max Cooper <ma...@maxcooper.com>.
JiRong,
I wrote a Filter to mimic container-managed security (with some help from
this list) named 'securityfilter' that has a very simple realm interface and
can be deployed inside a web app with no realm setup on the server. The
config file uses the same syntax as web.xml for the security constraints and
form-login stuff. The filter works the same way as container managed
security with a few less setup hassles and it eliminates dependence on the
server's proprietary realm interface. Security Filter also has an additional
feature of allowing you to submit a login request without being forced to
the login page (unlike container managed security), which allows you to do
things like have a login form on every page.
Security Filter is open source and distributed under an Apache-style
license. Container or securityfilter security is nice because it can protect
all of your site's resources, the design is time-tested (it is easy to
create security holes if you write it yourself), and you can build on the
request object's security-related methods. Struts and Tiles tags build on
these methods with their role="somerole" attributes, and they are ideal for
building programmatic security in your Actions or JSPs.
For more information, go here:
http://securityfilter.sourceforge.net/
If you don't have real roles to work with, you could create a simple realm
implementation where isUserInRole(Principal principal, String role) returns
true for some role as long as the principal is not null. Then protect all
the URLs that you want people to be logged in to access. The filter or
container would then automatically authenticate users by sending them
through the login page, and you could use request.getRemoteUser(), etc. to
determine who the current user is once they get to your Action and make
programmatic security decisions based on that user information. Container or
securityfilter based security is not too difficult to use, and it is
certainly much easier and more robust than building your own security
system.
Many people want to do their own login form processing, but I think there
are better ways to acheive the goals behind this desire. If you want to put
things in the session when the user logs in, you could write a
HttpSessionAttributeListener to do the work for you. It would add or remove
attributes when the secuirtyfilter adds/changes/removes a user's Principal
object in a session (I don't think this would work with container-managed
security, however). Another alternative it to create a utility class that
you can call to get the attributes. You pass in the request or session, and
the utility class would get the attributes from the session or create them,
put them in the session, and return them if they weren't already there.
Better yet, you could write a filter that would examine each request that
comes in (after the securityfilter, if that is what you are using) and
create the attributes if the user has been authenticated and they are
missing, or delete them if they exist and the user is no longer
authenticated. This filter approach would work with both container and
securityfilter security, it probably has less overhead than the
HttpSessionAttributeListener, and it avoids introducing a new interface for
accessing the attributes (which is a disadvantage of the utility class
method described above).
Note that you need a Servlet 2.3 compliant container to use securityfilter
or the filter-based session populator described above.
-Max
----- Original Message -----
From: "Struts Newsgroup" <@B...@basebeans.com>
To: <st...@jakarta.apache.org>
Sent: Tuesday, August 13, 2002 9:10 PM
Subject: What is a better way to check user login?
> Subject: What is a better way to check user login?
> From: "Hu Ji Rong" <hu...@yahoo.com>
> ===
> Hi,
>
> I saw various ways to check user login in Struts, but a bit confused.
> CheckLogon Tag in Struts example, check user session data, overwrite the
> ActionServlet, and so on. Overwrite the ActionServlet maybe also have
> problem to migrate to 1.1?
>
> Can anyone point to a right way? We have normally form based login page to
> validate the user.
>
> Thanks,
> JiRong
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: What is a better way to check user login?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Wed, 14 Aug 2002, Jacob Hookom wrote:
> Date: Wed, 14 Aug 2002 00:33:18 -0500
> From: Jacob Hookom <ho...@uwec.edu>
> Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>
> To: 'Struts Users Mailing List' <st...@jakarta.apache.org>
> Subject: RE: What is a better way to check user login?
>
>
>
> | -----Original Message-----
> | From: Troy Hart [mailto:thart@part.net]
> | Sent: Tuesday, August 13, 2002 11:27 PM
> | To: Struts Users Mailing List
> | Subject: Re: What is a better way to check user login?
> |
> | This topic has been discussed quite a bit on this list. I think the
> | consensus is that you should really use container managed
> authentication
> | (cma). You should search through the archives for discussions on the
> | topic. According to some you would be crazy (or maybe even stupid) to
> do
> | it any other way. Sometimes you don't have a lot of choice in the
> | matter, due to any number of factors, but you will be happy if you can
> | bite it off. :-)
>
> Although, there is the issue of managing security where there are no
> definitive 'roles' available and security is managed on a per
> request/parameter basis.
>
> I'm still trying to piece together how I can implement a Realm for my
> project-- possibly bit masking a long or using a float's mantissa in
> packing all the data I need into a string to validate as a role ;-)
>
Defining what your needs are would be a good starting point :-). Without
that, I don't see how you can make any architectural decisions about how
to support your security requirements.
> -Jake
Craig
>
> |
> | Good luck,
> |
> | Troy
> |
> |
> | On Tue, 2002-08-13 at 22:10, Struts Newsgroup (@Basebeans.com) wrote:
> | > Subject: What is a better way to check user login?
> | > From: "Hu Ji Rong" <hu...@yahoo.com>
> | > ===
> | > Hi,
> | >
> | > I saw various ways to check user login in Struts, but a bit
> confused.
> | > CheckLogon Tag in Struts example, check user session data, overwrite
> the
> | > ActionServlet, and so on. Overwrite the ActionServlet maybe also
> have
> | > problem to migrate to 1.1?
> | >
> | > Can anyone point to a right way? We have normally form based login
> page
> | to
> | > validate the user.
> | >
> | > Thanks,
> | > JiRong
> | >
> | >
> | >
> | > --
> | > To unsubscribe, e-mail: <mailto:struts-user-
> | unsubscribe@jakarta.apache.org>
> | > For additional commands, e-mail: <mailto:struts-user-
> | help@jakarta.apache.org>
> | >
> |
> |
> |
> | --
> | To unsubscribe, e-mail: <mailto:struts-user-
> | unsubscribe@jakarta.apache.org>
> | For additional commands, e-mail: <mailto:struts-user-
> | help@jakarta.apache.org>
> |
> | ---
> | Incoming mail is certified Virus Free.
> | Checked by AVG anti-virus system (http://www.grisoft.com).
> | Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002
> |
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: What is a better way to check user login?
Posted by Jacob Hookom <ho...@uwec.edu>.
| -----Original Message-----
| From: Troy Hart [mailto:thart@part.net]
| Sent: Tuesday, August 13, 2002 11:27 PM
| To: Struts Users Mailing List
| Subject: Re: What is a better way to check user login?
|
| This topic has been discussed quite a bit on this list. I think the
| consensus is that you should really use container managed
authentication
| (cma). You should search through the archives for discussions on the
| topic. According to some you would be crazy (or maybe even stupid) to
do
| it any other way. Sometimes you don't have a lot of choice in the
| matter, due to any number of factors, but you will be happy if you can
| bite it off. :-)
Although, there is the issue of managing security where there are no
definitive 'roles' available and security is managed on a per
request/parameter basis.
I'm still trying to piece together how I can implement a Realm for my
project-- possibly bit masking a long or using a float's mantissa in
packing all the data I need into a string to validate as a role ;-)
-Jake
|
| Good luck,
|
| Troy
|
|
| On Tue, 2002-08-13 at 22:10, Struts Newsgroup (@Basebeans.com) wrote:
| > Subject: What is a better way to check user login?
| > From: "Hu Ji Rong" <hu...@yahoo.com>
| > ===
| > Hi,
| >
| > I saw various ways to check user login in Struts, but a bit
confused.
| > CheckLogon Tag in Struts example, check user session data, overwrite
the
| > ActionServlet, and so on. Overwrite the ActionServlet maybe also
have
| > problem to migrate to 1.1?
| >
| > Can anyone point to a right way? We have normally form based login
page
| to
| > validate the user.
| >
| > Thanks,
| > JiRong
| >
| >
| >
| > --
| > To unsubscribe, e-mail: <mailto:struts-user-
| unsubscribe@jakarta.apache.org>
| > For additional commands, e-mail: <mailto:struts-user-
| help@jakarta.apache.org>
| >
|
|
|
| --
| To unsubscribe, e-mail: <mailto:struts-user-
| unsubscribe@jakarta.apache.org>
| For additional commands, e-mail: <mailto:struts-user-
| help@jakarta.apache.org>
|
| ---
| Incoming mail is certified Virus Free.
| Checked by AVG anti-virus system (http://www.grisoft.com).
| Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002
|
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: What is a better way to check user login?
Posted by Troy Hart <th...@part.net>.
This topic has been discussed quite a bit on this list. I think the
consensus is that you should really use container managed authentication
(cma). You should search through the archives for discussions on the
topic. According to some you would be crazy (or maybe even stupid) to do
it any other way. Sometimes you don't have a lot of choice in the
matter, due to any number of factors, but you will be happy if you can
bite it off. :-)
Good luck,
Troy
On Tue, 2002-08-13 at 22:10, Struts Newsgroup (@Basebeans.com) wrote:
> Subject: What is a better way to check user login?
> From: "Hu Ji Rong" <hu...@yahoo.com>
> ===
> Hi,
>
> I saw various ways to check user login in Struts, but a bit confused.
> CheckLogon Tag in Struts example, check user session data, overwrite the
> ActionServlet, and so on. Overwrite the ActionServlet maybe also have
> problem to migrate to 1.1?
>
> Can anyone point to a right way? We have normally form based login page to
> validate the user.
>
> Thanks,
> JiRong
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: What is a better way to check user login?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 13 Aug 2002, Struts Newsgroup wrote:
> Date: Tue, 13 Aug 2002 21:10:02 -0700
> From: Struts Newsgroup <st...@basebeans.com>
> Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>
> To: struts-user@jakarta.apache.org
> Subject: What is a better way to check user login?
>
> Subject: What is a better way to check user login?
> From: "Hu Ji Rong" <hu...@yahoo.com>
> ===
> Hi,
>
> I saw various ways to check user login in Struts, but a bit confused.
> CheckLogon Tag in Struts example, check user session data, overwrite the
> ActionServlet, and so on. Overwrite the ActionServlet maybe also have
> problem to migrate to 1.1?
>
> Can anyone point to a right way? We have normally form based login page to
> validate the user.
>
If you are using container managed security (in other words, you have one
or more <security-constraint> elements plus a <login-config> element in
your web.xml file), you do *not* need anything like the CheckLogon tag in
the example application. The container will do all the necessary checking
for you.
The reason that the sample application does its own "logon checking" is so
that the sample WAR file can be deployed, out of the box, with no setup as
a test of whether Struts works on your particular application server. For
real applications, using container managed security is by far the
preferred alternative.
> Thanks,
> JiRong
>
Craig McClanahan
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>