You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Bailey, Shane C." <SH...@saic.com> on 2003/06/04 23:00:32 UTC
Example: Auth check with ActionServlet
If anyone is interested in a decent way to do a check to see if the user is
logged in and do the appropriate things then I am giving an example below.
One reason I am doing this is I have seen a heck of a lot of posts where
people are doing the check from within a JSP. Second reason is I just
finished coding it. Third, I wouldn't mind comments as to whether this will
hold up under some unforeseen circumstance or if I am way off base in doing
it this way. But this way is simple!
Some code details I have keep out for security reasons. Probably a
non-issue but if a hacker knows every detail of how I do it then it makes it
easier but you'll get the idea I think.
The disadvantage of extending the ActionServlet over extending the
RequestProcessor is that if your are using modules and they have different
login paths per module then you would be better off extending the
RequestProcessor. Otherwise you could have 50 Request processors for 50
modules and the code to do the auth check below would only have to be in one
place. I quest you could have a MyRequestProcessor which just has the check
methods in it and reuse that as the base class for each RequestProcessor
but...
This code has been tested to work (decently) (but like I said, I removed
some (very little) code for security reasons).
package my.web;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import org.apache.struts.util.RequestUtils;
import my.package.web.constants.WebConst;
public final class Controller extends
org.apache.struts.action.ActionServlet
{
/**
* You can omit this method in this class if you have nothing to
initialize!!! So it is even smaller code.
*/
public void init() throws ServletException {
//I thought I would put code in here to initialize the DB
and
//stuff but decided to find a better way for better tiering
i.e. keeping
//database code out of my front end
super.init();
}
protected void process(HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException {
if(this.isUserAuthenticated(request)==false &&
isAttemptingLogin(request)==false)
{
//Send to login
response.sendRedirect(WebConst.MAIN_LOGIN_PATH);
//Const value="/login"
}
super.process(request,response);
}
private boolean isUserAuthenticated(HttpServletRequest request)
{
try{
//Insert code here! To check the Session (or the
request if using Container
//Managed Security) and see if the user is already
logged in.
return true;
//If anything fails like a ClassCastException
because some
//outside force tried to set an object in Session or
some other problem or security
//breach just catch any problems...
}catch(Exception e)
{
return false;
}
}
private boolean isAttemptingLogin(HttpServletRequest request)
{
//Get the path where the user is trying to go.
String currReqPath = request.getServletPath();
log("CRP="+currReqPath);
//I happened to have a couple login paths the user can take
(really just a different action mapping name
//going to the same action) if you only have one login path
then replace the whole for loop with
//if(WebConst.MY_LOGIN_PATH.equals(currReqPath)){ return
true; }
for(int i=0; i<WebConst.LOGIN_PATHS.length;i++)
{
//The first one in the array is "/login"
if(WebConst.LOGIN_PATHS[i].equals(currReqPath))
{
return true;
}
}
return false;
}
}
web.xml has this now instead of ActionServlet:
...
<servlet-name>action</servlet-name>
<servlet-class>my.web.Controller</servlet-class>
...
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>