I'll suggest option #3: Hide all JSP's under /WEB-INF/pages (or something like that) so you need actions (or ForwardActions) to internally get to the JSP pages. Then, you can modify the RequestProcessor.processRoles() method to perform your security check for the session scope's userID object or redirect to a login page if no such object (or no session) exists. I've done this myself once or twice. :)
Regards, David -----Original Message----- From: Jim Douglas [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 19, 2005 10:40 PM To: user@struts.apache.org Subject: Session Strategy To all, I have a web application that sets a session attribute with userID and a timeout in the config file that times out after 5 minutes in case the user walks away. I am trying to figure out the best strategy to deal with cases where the user comes back after 5 minutes and clicks on a button anywhere in the app that requires that attribute that just expitred to have a valid value. Should I, 1> Put code like this in the JSP, <c:if test="${sessionScope.userID eq 'null'}"> forward to login page.... </c:if> 2> Or should I just put all the code in the class files, something like this, Integer userID = (Integer)request.getSession().getAttribute("userID"); if (userID==null){ return mapping.findForward("failure"); } Or 3> ?? I'm open to suggestions! Thanks, Jim --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
