You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by struts Dude <sc...@slingshot.co.nz> on 2004/08/25 14:50:23 UTC
Question about authentication
Hi
I am going to use custom tags for checking
access to Jsp, if no user/bean bean in session,
then direct to login page.
And I am also going to check admin bean again
in Action before invoking life cycle methods
on business beans.
Now am I over kill with authentication??
I mean, if all JSP pages that require user/admin
access has custom tag that check for access
at top, then i don't really need to check
for authentication in Action classess.
But it may also be good practice to double check
for whatever reason.
Just curious what's the usual practice u ppl do.
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Question about authentication
Posted by struts Dude <sc...@slingshot.co.nz>.
Thanks to all who replied. I can't always count on u guys :D
If I really did use the stupid approach on the job,
I guess I am going to be fired on the spot. ;D
Regards
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Question about authentication
Posted by struts Dude <sc...@slingshot.co.nz>.
----- Original Message -----
From: "Emmanouil Batsis" <Em...@eurodyn.com>
To: "Struts Users Mailing List" <us...@struts.apache.org>
Sent: Thursday, August 26, 2004 12:57 AM
Subject: Re: Question about authentication
> I usually perform complex authentication/authorization related checks in
> a servlet filter and attach the results in simpler forms (i.e. boolean
> objects) in the request for actions to access.
Can u show me some links of tutorial on how to authenticate users using
servlet filter??
I think servlet filter may be the most portable way for authenticating user
since declarative authentication on web.xml is dependent on Tomcat.
Thanks
>
> Manos
>
> struts Dude wrote:
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Question about authentication
Posted by Emmanouil Batsis <Em...@eurodyn.com>.
I usually perform complex authentication/authorization related checks in
a servlet filter and attach the results in simpler forms (i.e. boolean
objects) in the request for actions to access. IMHO such checks should
not exist in the JSP pages, even if performed by taglibs; a JSP page
should not be accessed directly anyway but via an action that can
perform the checks (or read them from a context)
hth,
Manos
struts Dude wrote:
>Hi
>I am going to use custom tags for checking
>access to Jsp, if no user/bean bean in session,
>then direct to login page.
>
>And I am also going to check admin bean again
>in Action before invoking life cycle methods
>on business beans.
>
>Now am I over kill with authentication??
>
>I mean, if all JSP pages that require user/admin
>access has custom tag that check for access
>at top, then i don't really need to check
>for authentication in Action classess.
>
>But it may also be good practice to double check
>for whatever reason.
>
>Just curious what's the usual practice u ppl do.
>
>Thanks
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Question about authentication
Posted by Bob Thomas <rt...@yahoo.com>.
Hi,
I'm fairly new to Struts, so if I'm wrong here, I hope the more experienced will correct me.
If you extend the 'org.apache.struts.action.RequestProcessor' (or the 'org.apache.struts.tiles.TilesRequestProcessor' if you're using Tiles), then you can simply override the 'processPreprocess(...)' method and put your authentication there. That way, your authentication is all in one place, no need to put it in every JSP.
When using this methodology, you want to be sure that your JSPs are not accessed directly, but always accessed via the controller.
Hope this helps.
struts Dude <sc...@slingshot.co.nz> wrote:
Hi
I am going to use custom tags for checking
access to Jsp, if no user/bean bean in session,
then direct to login page.
And I am also going to check admin bean again
in Action before invoking life cycle methods
on business beans.
Now am I over kill with authentication??
I mean, if all JSP pages that require user/admin
access has custom tag that check for access
at top, then i don't really need to check
for authentication in Action classess.
But it may also be good practice to double check
for whatever reason.
Just curious what's the usual practice u ppl do.
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!