The two approaches I have succesfully used are container managed authentication & Filters.
Filters are simpler & more flexible than container managed authentication, so unless you need a particular feature of CMA (e.g. automatic propogation of credentials to EJBs) I wouldn't recommend it. I believe, though I haven't used it, that there is a free package called SecurityFilter which does lots of cools things for you. Paul > -----Original Message----- > From: Scott Purcell [mailto:[EMAIL PROTECTED] > Sent: 08 April 2005 15:28 > To: user@struts.apache.org > Subject: Authorized Site Creation With Struts > > > Hello, > First off, I am having trouble with creating a more elegant > solution to a proboem. > > A- Problem, I have a site that requires authentication > (form-based) when they hit our site. > Upon building the site which requires an "AppObject" and > "UserObject", I subclassed the > RequestProcessor, and put in logic to ensure that both > objects existed. > > This works good. > > Next, I needed to find out when a user's session expired. > Upon further investigation, > I subclassed an Action class and added a new > executeAction(signature) that pulled in > the AppObject and UserObject that were in the session from > the Request Processor. > > I then checked if the UserObject had a logged-in flag. If > so, great, they can work, else > I would throw them to the front door and create a > ActionMessage that says "Session Expired". > > All of this works, and does its job. Problem is now, I am not > happy with my creation. It screwed with my ability to use > DispatchAction and LookupDispatchAction. Two things I wasn't > sure I would need when I began. > > Anyway, I have searched and searched, and was hoping someone > may have a better way to handle > this session-management possibly all in the RequestProcesor? > > The problem I am finding, is that I create new UserObject and > AppObject each time someone comes through, because I do not > know if they > are new or returning users. It is not until they are looking > for an inside page, that I am aware they are not valid. > > Does this make sense? I figured a lot of you out there may > have this same type of secure site. Any ideas? > > Thanks, > > Scott K Purcell > > > > > > Axios Email Confidentiality Footer Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet email messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my Company or employer unless otherwise indicated by an authorised representative independent of this message. WARNING: While Axios Systems Ltd takes steps to prevent computer viruses from being transmitted via electronic mail attachments we cannot guarantee that attachments do not contain computer virus code. You are therefore strongly advised to undertake anti virus checks prior to accessing the attachment to this electronic mail. Axios Systems Ltd grants no warranties regarding performance use or quality of any attachment and undertakes no liability for loss or damage howsoever caused. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
