• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

Struts2 + Authentication + Convention

 
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Let's say I have a jsp page that I want to be secure, aka you have to be logged in to visit. For all of the secure pages that actually require some work to be done, this is ok, because the workflow is: 1) Click link to secure page, "/secure-page", 2) This triggers action SecurePage.java 3)Then successfully direct to /secure-page.jsp. The action is intercepted by the interceptor and I can be checked if I'm authenticated.

Some pages however, don't need any work to be done so there isn't a need for a class. In non secure cases this is fine. Click link to "/insecure-page" and the result is "/insecure-page.jsp". In secure cases, I don't want "/secure-page" to go to "/secure-page.jsp" but I also don't want to make an empty action class for every page JUST so that an interceptor can say, "hey that action is being fired but we're not logged in, redirect to login page".

Is this possible? The book I'm reading uses empty classes to solve this problem and I'm not a huge fan.
 
Ranch Hand
Posts: 213
Eclipse IDE Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You could use a filter. See this for an example.
 
Pj Casaro
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is that an alternative to interceptor based authentication? Sorry for sounding dumb, I'm just reading through a book and that's one of the first things I learned.

I assume this "security filter" is for login/authentication? Let's say I'm not logging into a site but for some reason or another I do need a custom interceptor. I want this custom interceptor to be invoked when I try to access a certain jsp but without creating a class. Is that possible? I don't know when or why I would need to do this, I'm just curious.

I also can't seem to find documentation on that website as to how to use this but maybe I'm just not looking hard enough.

Thanks for the input!
 
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Packages are one way to separate which interceptors are run for given actions.
 
Pj Casaro
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes I understand that. My question however, has to do with the absence of a specific action. For example, let's say I have a form that the user needs to fill out, but I only want users that are logged into be able to access this form. There's no real logic involved in producing the form, it's just a .jsp page, but in order to make sure that only logged in users can get to this jsp page, using interceptors and packages, I still am forced to create a class, an empty one with no code in it, just so that when I type /secure-form, I first hit SecureForm.java, which triggers the interceptor to fire.
 
David Newton
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The package containing the actions w/o security requirements would not contain the security interceptor.
 
David Newton
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Oh, no, I misunderstood what you're saying.

Redefine the default package for convention-based actions.
 
Pj Casaro
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ah, how do I do that? I never saw anything on the convention plugin page saying how to do that, or maybe I just missed it because I didn't know what to look for.
 
David Newton
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
plugin constants, at the bottom
 
Pj Casaro
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks, I'll look into that!
 
Pj Casaro
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I was looking over the plugin constants and this is the one that looked like the closest to what you're describing:

struts.convention.default.parent.package convention-default Default parent package for action mappings

although I'm not sure how changing this would be helpful.
 
Pj Casaro
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It seems like I have a limited number of options to deal with this problem and I don't particularly like any of them.

1) Make a class to back up ever single jsp that I have in a secure location. That just seems redundant and overkill.
2) Create a filter on all pages that I need in a secure location. That seems like a good idea at first but I'm not really sure of the difference between filters and interceptors, except that filters can act on URLs and actions, and interceptors can only work on actions. From that it seems that filters are better than interceptors, but the book I'm reading seems to be big on struts 2's interceptors. So there must be a reason for them.
 
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic