You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Matt Read <mr...@dircon.co.uk> on 2002/03/05 03:20:25 UTC
validate() and session expiry
I've got a problem and I'm not sure whether it's my poor design or a struts
limitation. I'd appreciate it if someone can shed some light. Let me know if
you require more details.
I have an action mapping for an "update my profile" page with an associated
ActionForm and validate="true". In order to navigate to this form the user
has to login first. The Action itself checks that the user is logged in in
the perform() method. If he isn't then he's forwarded back to the login
action. This all works fine in the case where the session expires and the
user clicks on the link to take him to the form because he gets forwarded to
the login page.
My problem is that if he navigates to this form, then waits for the session
to timeout then clicks submit then the validate() method on the ActionForm
is called BEFORE the perform() method on the Action itself. In my case the
validation fails as it relies on being able to read data from the session.
I can see a solution where in validation() methods I check that the session
is still valid but this seems clumsy to me. Is it good MVC design for the
request to be handled by the Model before the Controller gets to see it? Am
I incorrectly putting business logic into the validation() method when it
should be dealt with further down the chain? Or should I be handling my
authentication and session management in a subclass of the ActionServlet?
I'd appreciate any insights.
Matt.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: validate() and session expiry
Posted by Bryan Field-Elliot <br...@netmeme.org>.
On Mon, 2002-03-04 at 19:20, Matt Read wrote:
I can see a solution where in validation() methods I check that the session
is still valid but this seems clumsy to me. Is it good MVC design for the
request to be handled by the Model before the Controller gets to see it? Am
I incorrectly putting business logic into the validation() method when it
should be dealt with further down the chain? Or should I be handling my
authentication and session management in a subclass of the ActionServlet?
I'd appreciate any insights.
Matt.
You're putting too much business logic in the form's validate() method.
Struts best-practices dictacte that "form validation" should really be
thought of as a two-phase process.
Phase 1 should check for basic form correctness (e.g. did they really
put a valid number in the text field meant for a number? Is this a valid
date? Did they remember select a radio button value?). This phase should
be handled by the form bean's validate() method.
Phase 2 should be put into your Actions themselves, and should be the
business logic validation (e.g. is the user logged in? Is the date they
entered a valid date as far as the database of available dates is
concerned? Is the name they entered a valid name as far as the database
is concerned?).
As a side note - the phase 1 validation (calling the validate() method)
doesn't have to be done automatically by Struts. You can set
"validate=false" in your Action definition (struts-config.xml), and call
validate() manually from within your action if you choose. This is
useful when sometimes you want validation, sometimes you don't. For
example I often have one Action which handles record creation as well as
editing. Often I want validation in the create use-case, but not in the
edit use-case, and so I manually call validate() from the action rather
than have Struts do it automatically.
Bryan
RE: validate() and session expiry
Posted by Chuck Cavaness <ch...@mediaone.net>.
Your problem is slightly different than ours. In our application, the user
had to be logged in to go anywhere. This mechanism was a way to catch the
problem when a user has already logged in and let's the session timeout.
They then invoke an action that has a form that uses the session object for
something, like getting the user's Locale. Although I agree with Bryan that
having anything other than presentation validation in the ActionForm is
dangerous, let's face it; sometimes we do stupid things.
Chuck
At 02:50 AM 3/5/2002 +0000, you wrote:
>Thanks, that sounds like a good solution. My only reservation is that in
>processPreprocess() you'd have to effectively hard-code a list of the
>request paths that require a user to login. I suppose you have to do it
>somewhere though.
>
>Matt.
>
>-----Original Message-----
>From: Chuck Cavaness [mailto:chuckcavaness@mediaone.net]
>Sent: 05 March 2002 02:34
>To: Struts Users Mailing List
>Subject: Re: validate() and session expiry
>
>
>We had the same issue to deal with. What we did was in our ActionServet
>(which subclassed Struts ActionServlet), was to override the
>"processPreprocess" method, which is called for every request. We checked
>the session there, instead of in every Action perform method. If the
>session is expired or the user isn't logged in, we perform a redirect to
>the login page. This worked out very nicely and also allowed us to remove
>the check in the Action classes, since this method is called before the
>ActionForm validate and the Action perform method.
>
>In 1.1, this method is moved to the RequestProcessor class, but it works
>the same way. I'm sure there are other solutions, but this is one approach.
>
>Chuck Cavaness
>
>At 02:20 AM 3/5/2002 +0000, you wrote:
> >I've got a problem and I'm not sure whether it's my poor design or a struts
> >limitation. I'd appreciate it if someone can shed some light. Let me know
>if
> >you require more details.
> >
> >I have an action mapping for an "update my profile" page with an associated
> >ActionForm and validate="true". In order to navigate to this form the user
> >has to login first. The Action itself checks that the user is logged in in
> >the perform() method. If he isn't then he's forwarded back to the login
> >action. This all works fine in the case where the session expires and the
> >user clicks on the link to take him to the form because he gets forwarded
>to
> >the login page.
> >
> >My problem is that if he navigates to this form, then waits for the session
> >to timeout then clicks submit then the validate() method on the ActionForm
> >is called BEFORE the perform() method on the Action itself. In my case the
> >validation fails as it relies on being able to read data from the session.
> >
> >I can see a solution where in validation() methods I check that the session
> >is still valid but this seems clumsy to me. Is it good MVC design for the
> >request to be handled by the Model before the Controller gets to see it? Am
> >I incorrectly putting business logic into the validation() method when it
> >should be dealt with further down the chain? Or should I be handling my
> >authentication and session management in a subclass of the ActionServlet?
> >
> >I'd appreciate any insights.
> >Matt.
> >
> >
> >--
> >To unsubscribe, e-mail:
><ma...@jakarta.apache.org>
> >For additional commands, e-mail:
><ma...@jakarta.apache.org>
>
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: validate() and session expiry
Posted by Matt Read <mr...@dircon.co.uk>.
Thanks, that sounds like a good solution. My only reservation is that in
processPreprocess() you'd have to effectively hard-code a list of the
request paths that require a user to login. I suppose you have to do it
somewhere though.
Matt.
-----Original Message-----
From: Chuck Cavaness [mailto:chuckcavaness@mediaone.net]
Sent: 05 March 2002 02:34
To: Struts Users Mailing List
Subject: Re: validate() and session expiry
We had the same issue to deal with. What we did was in our ActionServet
(which subclassed Struts ActionServlet), was to override the
"processPreprocess" method, which is called for every request. We checked
the session there, instead of in every Action perform method. If the
session is expired or the user isn't logged in, we perform a redirect to
the login page. This worked out very nicely and also allowed us to remove
the check in the Action classes, since this method is called before the
ActionForm validate and the Action perform method.
In 1.1, this method is moved to the RequestProcessor class, but it works
the same way. I'm sure there are other solutions, but this is one approach.
Chuck Cavaness
At 02:20 AM 3/5/2002 +0000, you wrote:
>I've got a problem and I'm not sure whether it's my poor design or a struts
>limitation. I'd appreciate it if someone can shed some light. Let me know
if
>you require more details.
>
>I have an action mapping for an "update my profile" page with an associated
>ActionForm and validate="true". In order to navigate to this form the user
>has to login first. The Action itself checks that the user is logged in in
>the perform() method. If he isn't then he's forwarded back to the login
>action. This all works fine in the case where the session expires and the
>user clicks on the link to take him to the form because he gets forwarded
to
>the login page.
>
>My problem is that if he navigates to this form, then waits for the session
>to timeout then clicks submit then the validate() method on the ActionForm
>is called BEFORE the perform() method on the Action itself. In my case the
>validation fails as it relies on being able to read data from the session.
>
>I can see a solution where in validation() methods I check that the session
>is still valid but this seems clumsy to me. Is it good MVC design for the
>request to be handled by the Model before the Controller gets to see it? Am
>I incorrectly putting business logic into the validation() method when it
>should be dealt with further down the chain? Or should I be handling my
>authentication and session management in a subclass of the ActionServlet?
>
>I'd appreciate any insights.
>Matt.
>
>
>--
>To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
>For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: validate() and session expiry
Posted by Chuck Cavaness <ch...@mediaone.net>.
We had the same issue to deal with. What we did was in our ActionServet
(which subclassed Struts ActionServlet), was to override the
"processPreprocess" method, which is called for every request. We checked
the session there, instead of in every Action perform method. If the
session is expired or the user isn't logged in, we perform a redirect to
the login page. This worked out very nicely and also allowed us to remove
the check in the Action classes, since this method is called before the
ActionForm validate and the Action perform method.
In 1.1, this method is moved to the RequestProcessor class, but it works
the same way. I'm sure there are other solutions, but this is one approach.
Chuck Cavaness
At 02:20 AM 3/5/2002 +0000, you wrote:
>I've got a problem and I'm not sure whether it's my poor design or a struts
>limitation. I'd appreciate it if someone can shed some light. Let me know if
>you require more details.
>
>I have an action mapping for an "update my profile" page with an associated
>ActionForm and validate="true". In order to navigate to this form the user
>has to login first. The Action itself checks that the user is logged in in
>the perform() method. If he isn't then he's forwarded back to the login
>action. This all works fine in the case where the session expires and the
>user clicks on the link to take him to the form because he gets forwarded to
>the login page.
>
>My problem is that if he navigates to this form, then waits for the session
>to timeout then clicks submit then the validate() method on the ActionForm
>is called BEFORE the perform() method on the Action itself. In my case the
>validation fails as it relies on being able to read data from the session.
>
>I can see a solution where in validation() methods I check that the session
>is still valid but this seems clumsy to me. Is it good MVC design for the
>request to be handled by the Model before the Controller gets to see it? Am
>I incorrectly putting business logic into the validation() method when it
>should be dealt with further down the chain? Or should I be handling my
>authentication and session management in a subclass of the ActionServlet?
>
>I'd appreciate any insights.
>Matt.
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>