Or better yet, create a Login interceptor or Login filter that checks the session and redirects to login page if the required key is not there. Make package(s) of the actions you want to expose to authenticated users only and put the interceptor into that packages interceptor stack.
On 6/27/07, Wesley Wannemacher <[EMAIL PROTECTED]> wrote:
Hello Session, See replies in context below - > -----Original Message----- > From: Session Mwamufiya [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 26, 2007 11:58 PM > To: 'Struts Users Mailing List' > Subject: Struts 2 Login example using a session > > Hi, > > I tried to follow the simple login example at > http://struts.apache.org/2.x/docs/simplelogin-with-session.html, but there are many > things that I don't get: > - first, it's written for webworks, not struts 2, are there any compatibility issues between the two? I read that page and I would say that other than using <s: instead of <ww:, there are not any compatibility issues (and that isn't a real issue, one more of style). > - second, the session is never set with a timeout attribute, how do we actually enforce a timeout? The session timeout period is controlled by the app server as far as I know. For instance, I have the following using Tomcat4 - <session-config> <session-timeout>480</session-timeout> </session-config> > - third, do we need to include a line like <jsp:include page="WEB-INF/inc/loginCheck.jsp" /> at the > beginning of every jsp file in our web app to check whether the user is still logged in; or is there > a more general way of ensuring that. I took a different approach than the authors of that page (and may update the wiki with my code if people feel it is appropriate. First off, I created a global result named "login" in a global package. When this result is encountered, it redirects to the Login action. Next, I created a class that implemented SessionAware and put all of the login logic in that class. Every action that needs to enforce a login inherits from that class. With my way, you can avoid includes... If I don't want to inherit from that "Authenticated" action, I can create a custom tag with the same logic (check the session for a user object, if not there, redirect to the Login action). Thanks, Session A. Mwamufiya Carnegie Mellon University MBA | Tepper School of Business MSE (software eng.) | School of Computer Science T: (412) 508-5455 | [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
