Re[4]: Controller loads forms before validating logon/session

[Oleg V Alexeev <go...@penza.net>]

Hello Martin,

I am agree with you. But it is strange solution, for my mind, to
implement session attribute check and avoid user or role checking.
This thread is started with letter about logon checking with session
attribute. But this is a custom way to implement secure constraints -
standart solution (not in Struts, sure, in Servlet 2.2) is to define
security constraints in web.xml and use container's security services.

I think user and role checking are essential to be included to the
automated logon checking. But such checking is a special case of
generalized checking of anything and anywhere. It can be, for example
simple set of rules, such as listed in your original letter, user and
role checking, or equivalence between attribute value and some
constant in some <check-rule> (?) in struts-config. All
variants from logic taglib (equal, present, greaterThan, etc.) can be
easily implemented to support pre-action checking. Such approach can
keep up logic tags and checking rules in struts-config around central
notion.

Sunday, June 24, 2001, 8:57:26 PM, you wrote:

MC> Actually, my proposal would be sufficient to cover both examples you
MC> suggested, since they could be implemented using the sessionCheck() method.
MC> However, I think the key is determining the right set of sufficiently common
MC> and useful checks that could be built in, so that only struts-config.xml
MC> need be modified to implement them. As you point out, the one I mentioned
MC> (which I plucked straight from the original post on this thread) is not the
MC> only candidate.

MC> --
MC> Martin Cooper


MC> ----- Original Message -----
MC> From: "Oleg V Alexeev" <go...@penza.net>
MC> To: <st...@jakarta.apache.org>
MC> Sent: Sunday, June 24, 2001 2:03 AM
MC> Subject: Re[2]: Controller loads forms before validating logon/session


>> Hello Martin,
>>
>> Sunday, June 24, 2001, 11:42:13 AM, you wrote:
>>
>> MC> This seems to me to be a "necessary but not sufficient" check. That
MC> is, to
>> MC> ascertain that a valid user is logged on, it may be necessary to check
MC> for
>> MC> the existence of a particular session attribute, but it is unlikely
MC> that
>> MC> such a test, by itself, will be sufficient to make the determination.
>>
>> MC> Here's a somewhat more elaborate suggestion for how logon/session
MC> validation
>> MC> might be handled.
>>
>> MC> 1) In struts-config.xml, allow an optional entity <session-check>,
MC> which has
>> MC> two optional (and mutually exclusive) attributes, 'attribute' and
MC> 'type',
>> MC> and which allows <forward> entities within it.
>>
>> MC> 2) If the 'attribute' attribute is set, Struts will check for the
MC> existence
>> MC> of an attribute with this name in the session. If it is not present,
MC> and a
>> MC> <forward> named "default" exists, Struts will forward (or redirect)
>> MC> according to that forward.
>>
>> MC> 3) If the 'type' attribute is set, Struts will first instantiate an
MC> object
>> MC> of the class specified by that attribute, and then call the
MC> sessionCheck()
>> MC> method on that object. This method returns the ActionForward object
MC> for
>> MC> where to go next, or null if everything is OK.
>>
>> MC> Does this make sense?
>>
>> It is "necessary but not sufficient" too... 8))
>>
>> i think taht next two additions for <session-check> can be very
>> helpful.
>>
>> 1. Role attribute - if user is not logged on or is not in specified
>>    role then forward to the 'hard' forward from the attribute or to
>>    the 'soft' forward via object (specified by type attribute).
>> 2. User attribute - if user is not logged on or his name is not equal
>>    to the 'user' attribute value, then use 'hard' or 'soft' forwards
>>    as target to jump.
>>
>> --
>> Best regards,
>>  Oleg                            mailto:gonza@penza.net
>>
>>




-- 
Best regards,
 Oleg                            mailto:gonza@penza.net