You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Mark Glass <mg...@datalinx.net> on 2002/03/11 22:07:39 UTC
Session management in Struts
I'm developing a web application in Struts that requires a user to have a session before they can use the application. Currently anyone can bypass the logon and use the application. I would like the user to be required to login first. I am saving the user info to session when the user logs in and testing the session for this attribute before allowing them to use the functionality, however this does not work.
Can anyone point me to a paper or tutorial or example which will show me how to do this properly?
Thanks much in advance,
Mark
Re: Session management in Struts
Posted by Rafe Colburn <ra...@rc3.org>.
The example application that comes with Struts has a taglib that
provides this very functionality. There's a tag that checks to make
sure that the user is properly stored in the session, and if they
aren't, it forwards them to the login page.
On Mon, Mar 11, 2002 at 04:07:39PM -0500, Mark Glass wrote:
> I'm developing a web application in Struts that requires a user to have a session before they can use the application. Currently anyone can bypass the logon and use the application. I would like the user to be required to login first. I am saving the user info to session when the user logs in and testing the session for this attribute before allowing them to use the functionality, however this does not work.
>
> Can anyone point me to a paper or tutorial or example which will show me how to do this properly?
>
> Thanks much in advance,
> Mark
--
Rafe Colburn
http://rc3.org
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session management in Struts
Posted by Ye Tian <yt...@andrew.cmu.edu>.
Dear Mark:
Did you actually check if the session variables about username and pwd info were null or correct at the beginning of those pages? Plus, you need to clear up these session variables after the user log out.
Ye
Mark Glass wrote:
> I'm developing a web application in Struts that requires a user to have a session before they can use the application. Currently anyone can bypass the logon and use the application. I would like the user to be required to login first. I am saving the user info to session when the user logs in and testing the session for this attribute before allowing them to use the functionality, however this does not work.
>
> Can anyone point me to a paper or tutorial or example which will show me how to do this properly?
>
> Thanks much in advance,
> Mark
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session management in Struts
Posted by Sean Willson <se...@divine.com>.
"Servlet Firewall", that's a pretty cool name. FirewallFilter.java has a
ring to it ;) ...
The only gotchas I have found are that the container you are running this in
has to support the Servlet 2.3 specification. This really has no effect on
Struts at all ... But there are a number of things you can do to make it
integrated into struts however.
One thing we did do was create a root Action class that all classes
subclass. The Authentication Filter's job was to check that someone is
authenticated and forward on to some login action/jsp in the event they
aren't authenticated. The other job is if they are authenticated to place
their authentication token in the request. We have an underlying
authentication system that needs this token to perform anything in any
business tier. Anyhow, the root action takes that token out of the request
and then calls a method called processRequest which is the same as perform
except it passes in the token as the first argument.
Anyhow, not sure I answered your question ... but anyhow, the only gotcha I
know of is the 2.3 Servlet thing. Let me know if you need any other info ...
Sean
----- Original Message -----
From: "Joseph Barefoot" <jo...@hereuare.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Monday, March 11, 2002 8:27 PM
Subject: RE: Session management in Struts
> That sounds like a good idea to me....so, this Authentication Filter is
sort
> of like a "servlet firewall"?
>
> Hmmm...so you implement javax.servlet.Filter such that an unauthenticated
> user is routed to a login page, and after login the assigned session ids
are
> then stored in the servlet context for subsequent authentications. Then I
> suppose you configure the filter (in the deployment descriptor) for the
> Struts controller servlet and any other non-Struts servlets or resources
you
> may have and wish to enforce authentication on.
>
> Neat. Are there any "gotchas" for Struts other frameworks when using
> Filters?
>
> --joe
>
> -----Original Message-----
> From: Sean Willson [mailto:sean.willson@divine.com]
> Sent: Monday, March 11, 2002 5:53 PM
> To: Struts Users Mailing List
> Subject: Re: Session management in Struts
>
>
> We accomplished this by writing an Authentication Filter that sits in
front
> of all requests to the servlet container. The problem with putting it in a
> Struts Action and then subclassing that (which we did do at one time) is
> that you can only then protect things going through Struts. Which in
itself
> isn't a problem IF that's the only framework you plan on using to route
> eventing in your web application. If however you have other needs I
> recommend looking into writing a filter.
>
> You can do anything from creation of a session, setting session/request
and
> accessing application scoped variables from within the filter itself.
>
> Sean
>
> ----- Original Message -----
> From: "Mark Glass" <mg...@datalinx.net>
> To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> Sent: Monday, March 11, 2002 3:07 PM
> Subject: Session management in Struts
>
>
> I'm developing a web application in Struts that requires a user to have a
> session before they can use the application. Currently anyone can bypass
the
> logon and use the application. I would like the user to be required to
login
> first. I am saving the user info to session when the user logs in and
> testing the session for this attribute before allowing them to use the
> functionality, however this does not work.
>
> Can anyone point me to a paper or tutorial or example which will show me
how
> to do this properly?
>
> Thanks much in advance,
> Mark
>
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Session management in Struts
Posted by Joseph Barefoot <jo...@hereuare.com>.
That sounds like a good idea to me....so, this Authentication Filter is sort
of like a "servlet firewall"?
Hmmm...so you implement javax.servlet.Filter such that an unauthenticated
user is routed to a login page, and after login the assigned session ids are
then stored in the servlet context for subsequent authentications. Then I
suppose you configure the filter (in the deployment descriptor) for the
Struts controller servlet and any other non-Struts servlets or resources you
may have and wish to enforce authentication on.
Neat. Are there any "gotchas" for Struts other frameworks when using
Filters?
--joe
-----Original Message-----
From: Sean Willson [mailto:sean.willson@divine.com]
Sent: Monday, March 11, 2002 5:53 PM
To: Struts Users Mailing List
Subject: Re: Session management in Struts
We accomplished this by writing an Authentication Filter that sits in front
of all requests to the servlet container. The problem with putting it in a
Struts Action and then subclassing that (which we did do at one time) is
that you can only then protect things going through Struts. Which in itself
isn't a problem IF that's the only framework you plan on using to route
eventing in your web application. If however you have other needs I
recommend looking into writing a filter.
You can do anything from creation of a session, setting session/request and
accessing application scoped variables from within the filter itself.
Sean
----- Original Message -----
From: "Mark Glass" <mg...@datalinx.net>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Monday, March 11, 2002 3:07 PM
Subject: Session management in Struts
I'm developing a web application in Struts that requires a user to have a
session before they can use the application. Currently anyone can bypass the
logon and use the application. I would like the user to be required to login
first. I am saving the user info to session when the user logs in and
testing the session for this attribute before allowing them to use the
functionality, however this does not work.
Can anyone point me to a paper or tutorial or example which will show me how
to do this properly?
Thanks much in advance,
Mark
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session management in Struts
Posted by Sean Willson <se...@divine.com>.
We accomplished this by writing an Authentication Filter that sits in front
of all requests to the servlet container. The problem with putting it in a
Struts Action and then subclassing that (which we did do at one time) is
that you can only then protect things going through Struts. Which in itself
isn't a problem IF that's the only framework you plan on using to route
eventing in your web application. If however you have other needs I
recommend looking into writing a filter.
You can do anything from creation of a session, setting session/request and
accessing application scoped variables from within the filter itself.
Sean
----- Original Message -----
From: "Mark Glass" <mg...@datalinx.net>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Monday, March 11, 2002 3:07 PM
Subject: Session management in Struts
I'm developing a web application in Struts that requires a user to have a
session before they can use the application. Currently anyone can bypass the
logon and use the application. I would like the user to be required to login
first. I am saving the user info to session when the user logs in and
testing the session for this attribute before allowing them to use the
functionality, however this does not work.
Can anyone point me to a paper or tutorial or example which will show me how
to do this properly?
Thanks much in advance,
Mark
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session management in Struts
Posted by Dave Weis <dj...@sjdjweis.com>.
On Mon, 11 Mar 2002, Mark Glass wrote:
> I'm developing a web application in Struts that requires a user to
> have a session before they can use the application. Currently anyone
> can bypass the logon and use the application. I would like the user to
> be required to login first. I am saving the user info to session when
> the user logs in and testing the session for this attribute before
> allowing them to use the functionality, however this does not work.
I'm using the servlet runner security for my stuff. It's a bit different
for Resin compared to Tomcat, but this is how to do it.
In your web.xml file, put something like this:
<login-config auth-method='form'>
<form-login-config
form-login-page='/index.jsp'
form-error-page='/index.jsp' />
<authenticator id='com.mycompany.Authenticator' />
</login-config>
<security-constraint>
<web-resource-collection>
<url-pattern>/main/*</url-pattern>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint role-name='user'/>
</security-constraint>
Whenever you access a url that starts with main or admin, the servlet
container will make you authenticate. It's built in, so I would rather use
that than try to make my own. You can put links to things inside the
secured area and the login forms appear whenever they are needed.
The file that contains the login form can also have a field called j_uri
to point you to a specific page after login, like a home section.
<form method="post" action="j_security_check" >
<input type="hidden" name="j_uri" value="/main/index.do" />
Username <input type="text" name="j_username" value="user">
<br>
Password <input type="text" name="j_password" value="pass">
<br>
<input type="submit" name="submit" value="Login">
</form>
--
Dave Weis "I believe there are more instances of the abridgement
djweis@sjdjweis.com of the freedom of the people by gradual and silent
encroachments of those in power than by violent
and sudden usurpations."- James Madison
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Session management in Struts
Posted by Joseph Barefoot <jo...@hereuare.com>.
I'm not sure about a paper or tutorial Mark, but we accomplish this by
sub-classing the struts Action class and peforming authentication there.
All Action classes in the system except the login Action use this class
(call it CustomAction) as their superclass. All user information (id,
password, etc.) is maintained in a session-scope Form initialized by the
login Action class.
The "perform" method defined in CustomAction performs authentication before
calling an appropriate method (call it "performAction") that is defined in
the subclass of CustomAction. This way, the code for user authentication is
in a centralized location and will be called anytime the Struts servlet
controller processes a request.
If all your requests go through Action classes, this should work for you.
hope this helps,
Joe
-----Original Message-----
From: Mark Glass [mailto:mglass@datalinx.net]
Sent: Monday, March 11, 2002 1:08 PM
To: Struts Users Mailing List
Subject: Session management in Struts
I'm developing a web application in Struts that requires a user to have a
session before they can use the application. Currently anyone can bypass the
logon and use the application. I would like the user to be required to login
first. I am saving the user info to session when the user logs in and
testing the session for this attribute before allowing them to use the
functionality, however this does not work.
Can anyone point me to a paper or tutorial or example which will show me how
to do this properly?
Thanks much in advance,
Mark
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>