This approach is also useful for other logged in redirection type things on login, such as checking to see a logged in user has agreed to the latest Terms of Service.
> -----Original Message----- > From: Günther Wieser [mailto:[EMAIL PROTECTED] > Sent: Monday, March 07, 2005 7:04 PM > To: 'Struts Users Mailing List' > Subject: RE: session.invaludate(); not working in LogoffAction > > i prefer to write my own RequestProcessor which does all the checking and > handling in case of "user not logged in". > and even more preferable is to implement J2EE security which was > suprisingly > simple (at least for Resin). > > i wrote an example for the request processor stuff a few days ago here in > the list, here it is again: > ---------------------- > public class MyRequestProcessor extends TilesRequestProcessor { > > public void process(HttpServletRequest req, HttpServletResponse res) > throws IOException, ServletException { > HttpSession session = req.getSession(); > String path = super.processPath(req, res); > String url = req.getRequestURL().toString(); > String queryString = req.getQueryString(); > // the next lines are there to allow deep linking > // we store the url that has been requested for future use > if ((queryString!=null) && (!"".equals(queryString))) { > url = url + "?" + queryString; > } > if (session.getAttribute(Constants.SESSION_LOGIN_REFER_KEY) > == null) { > if (url != null) { > > session.setAttribute(Constants.SESSION_LOGIN_REFER_KEY, url); > } > else { > //TODO: get main URL from property > > session.setAttribute(Constants.SESSION_LOGIN_REFER_KEY, > "http://localhost:8080/WebCreator/index.do";); > } > } > // no comes the important stuff > if (!checkForRealm(session)) { > if (!"/login".equals(path)) { > super.doForward("/login.do", req, res); > } > } > super.process(req, res); > } > > protected boolean checkForRealm(HttpSession session) > throws ServletException, IOException { > if (session.getAttribute(Constants.SESSION_USER_KEY) != null > ) { > return true; > } > else { > return false; > } > } > } > > so what it does is: > - get the current requested url for further reference and stores it in the > session if an atrribute with the same key does not exist (see "deep > linking" > below") > - then it checks the session for the realm (that is the attribute that you > use to say "the user is logged in") > - if it does not exist and if the request didn't go to /login.do, it > forwards the request to the action /login.do (which is a simple html with > username/password field) > - if it exists it redirects to the super class to process the request as > usual > - you need to implement the checkRealm() method with whatever you need to > check, my example is really simple but very common > > with extending TileRequestProcessor (don't care that i extend > TilesRequestProcessor, you can extend the standard request processor the > same way) and adding the lines in struts-config.xml, each request that > hits > the struts action servlet will go through MyRequestProcessor BEFORE the > typical struts tasks (action, form beans filling, etc) start. so this is > the > right place to check security, authorization and authentication. > > regarding "deep linking": i want my customers to be able to store a > bookmark > that points deep into the system. when they request this bookmark, they of > course need to login first. so i store the requested url in the session, > and > if the login is successfull, i send a redirect to the browser to disply > the > page the user requested with his bookmark. > this is done by sending a meta refresh command in the head of the > resulting > "login ok" page, with the url containing the session attribute that has > been > store with "session.setAttribute(Constants.SESSION_LOGIN_REFER_KEY, url)" > > hope that helps, feel free to ask more if something is unclear. > ----------------------- > > kr, > guenther > > -----Original Message----- > From: Leon Rosenberg [mailto:[EMAIL PROTECTED] > Sent: Monday, March 07, 2005 10:52 PM > To: 'Struts Users Mailing List' > Subject: Re: session.invaludate(); not working in LogoffAction > > Graig will blame for not using Filters (they would do the job too), but > I'd > say "yes": > > Create a "BaseAction", all your actions are extending from, with: > > public ActionForward execute( > ActionMapping mapping, > ActionForm bean, > HttpServletRequest req, > HttpServletResponse res) > throws Exception { > > > if (isAuthorizationRequired()){ > boolean authorized = checkAuthorization(req); > if (!authorized){ > String redUrl = > req.getContextPath()+"your_login_action_path"; > res.sendRedirect(redUrl); > return null; > > } > } > ActionForward forward = doExecute(mapping, bean, req, res); > return forward; > } > > protected abstract boolean isAuthorizationRequired(); > > > public abstract ActionForward doExecute( > ActionMapping mapping, > ActionForm af, > HttpServletRequest req, > HttpServletResponse res) > throws Exception; > > Now in actions you want to protect overwrite authorizationRequired > returning > true. > And implement the checkAuthorization method, a good strategy is to put > something in the session on login, and check if it's there (userId for > example fits perfectly), on logout simply remove this attribute again. > > I would also recommend to provide overwritteable init/deInit actions and > common error handling. > > Implement your code in doExecute. > > You may make execute final, but sometimes you will want to overwrite this > as > well. > > Regards > Leon > > > > -----Ursprüngliche Nachricht----- > > Von: David Johnson [mailto:[EMAIL PROTECTED] > > Gesendet: Montag, 7. März 2005 22:44 > > An: Struts Users Mailing List > > Betreff: session.invaludate(); not working in LogoffAction > > > > hi all > > > > have a logoff action, and inside it I do the following. > > > > // Clean up the session if there is one HttpSession session = > > request.getSession(); session.invalidate(); > > > > When I watch what's happening in the manager application (I'm using > > Tomcat) the number of sessions does not decrease, and I can back up in > > the browser and call actions, all of which have code to check for a > > valid session.. > > > > This raises a question.. what's the best way in my web-app to make > > sure the user is valid? should I check in **every** action? > > > > -- > > -Dave > > [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
