Struts/Tomcat: Implementing Login Overview

I have the same problem everyone does - how do I make a login? I know enough to be dangerous, but would like more guidance. Here is what I need to do -
- Get a user name/password and match it to a db backend
- Ensure if a user isn't logged in, they are forwarded to the login page
- Force a user to login if they haven't expressly logged out after a period of time
- I need to account for cookies being turned off and so may need to ensure the session id is written into the url each time
- The webapp will eventually be used via HTTPS (SSL)
Here is what I think is true -
- Since I'm using Tomcat, I could try using the features here to implement protected resources. This wouldn't let me use the db for comparing the user info, if I understand correctly? Also, the FORM version of authentication wouldn't be going through the struts framework?
- I could put code at the beginning of all my struts actions and check for session variables. This route would be cumbersome to maintain, as I would need to update all my actions. I could make a class that was simply called by each action, but it still seems a tad garish.
- I could overload the action class, but this is beyond my skills right now, and I don't want to start mucking around with such things (unless you all tell me I have to). This would let me put the check in all the classes automatically.
- I came across something about using J2EE features (A and I was the only mention), but I dont' know what this really does or doesn't provide.
That being said, I worked through the struts-example, which contains a custom tag library. If I understand it properly, I could simply put the custom tag in each jsp of mine and it would handle checking for if a user was logged in. Is that a 'good' way to go?
All that being said, which approach would seem best suited to what I need?
Best Regards,
Aaron R>

<quote>
- I could put code at the beginning of all my struts actions and check for session variables. This route would be cumbersome to maintain, as I would need to update all my actions. I could make a class that was simply called by each action, but it still seems a tad garish.
</quote>
I find this easier to maintain rather than use custom tags.
For each form I have a show and save action. I usually put this code the show part.
User user = (User) session.getAttribute (Constants.USER_KEY); if (!action.equals("Report")) { if (user == null) { if (servlet.getDebug() >= 1) servlet.log(" User is not logged on in session " + session.getId()); return (mapping.findForward("logon")); } }
It's not pretty but it's easier than using a custom tag. I am not a big fan of encapsulating business/serverside logic in custom tags. I find custom tags difficult to debug and manage. It's also very difficult to get non programmers ( web page designers) to use custom tags.
Putting the stuff in another class gives you some additional leverage though. If your system needs to add security you could add a checkPrivilege / checkPermission method to this class to incorporate security. This class could also have as asimple audit/logging functionality.
Ideally you would want to overload the Action class, but it's probably not worth touching that stuff.
HTH
Ravi
[ September 12, 2002: Message edited by: Ravi Veeraghanta ]

Say I have an object "User" which represents (oddly enough) the user logged into my app. This object only exists after they "log on", when it is put into session, so I do two things.
1. In my actions I always check for the presence of "user". If it's not there send them to the appropriate log in screen.
2. In the jsps, I use custom tags to check for the presence of the user object. I use the struts tag <logic: present/> to accomplis this. Keep the code out of your jsps as much as humanly possible.

Thanks for the insight. If I want to use a custom tag library, can you provide some help as to setting it up? I think the struts-example app uses a custom taglib for something similiar.
I have a dev tree like the following -
web - all my css,jsp, etc
java
---com
----myproject
-----actions - action classes
-----dbclasses - the classes to access the db
-----forms - the actionforms
Where would I put the various tag libary files?
Thanks,
Aaron R>

You don't need to create your own, you could use the struts taglib if you wanted.
The user logs in with the action LoginAction. This action creates a user object and places it into session.
Each jsp has something like this in the begining of it:
<logic:notPresent name="user" scope="session"> <logic:forward name="login"/> </login:notPresent >
The above will check the session for a bean called user. If it's not there it will forward to your global login action. Depending on your implementation maybe you want to use the "property" attribute with the notPresent tag in order to ensure that some particular field of the user object is not null.
In addition I would add some code in your actions to do the same thing.
User user = request.getSession().getAttribute("user"); if (user == null) return mapping.findForward("login");
If you feel certain a user will never directly access a jsp (I always play it safe and never assume this), you could leave the part in the jsp out and just rely on your action to do the checking.
The nuances of how you implement this will of course depend on your app. But if for some reason you insist on using your own custom tag, and this custom tag is particular to this application, I would probably put it somewhere like com.myproject.taglib.

I have a question on this :
if you redirect a user to a login page in this way, how can you send him back to the login page the user originally came from?

could someone clarify this with a small example?

Thanks a lot!!!