• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Struts2 Redirecting problem

 
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi folks,

I am using Login Interceptor, it executes on each action and redirects to Login page as it was in my logic. But there are some actions that I need to execute even if the user is not logged in.

If the user is not logged in and hit the following URL in the browser
e.g. /MyProject/SeeReports.jsp

It just opens up. I want to redirect it to Login.jsp if the user is not logged in.

I googled, but everybody suggest to use Interceptors. In JSTL there we can redirect using <c:redirect>. Is there anything like that in struts2?

Please help.
 
Bartender
Posts: 9626
16
Mac OS X Linux Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

bablu singh wrote:Hi folks,
I am using Login Interceptor,



There's no Login interceptor in Struts so I can't tell you anything about that. I can tell you the way interceptors work is that you configure a "stack" of them. Simply create a stack that does not contain a Login interceptor for the URL's you want to make available.

bablu singh wrote:
If the user is not logged in and hit the following URL in the browser
e.g. /MyProject/SeeReports.jsp
It just opens up. I want to redirect it to Login.jsp if the user is not logged in.



First and most importantly, you should look at Declaritive Security. It's the JEE standard way to control access to servlets, EJB's and other resources.
I've see others here at the Ranch suggest putting all your JSP's under you web application's WEB-INF directory. They would not be directly accessible there, but presumably would be available for rendering a page. I've never tried that option.
As a last-ditch security measure, I created a custom JSP tag that checks to see if the user is logged in (and, optionally, what role the user is in), and if they are not (or do not have the proper role), issue a redirection to the login page.
I don't see how the JSTL redirect tag can help you unless you wrap it with some other logic that determines if a user is logged in. Struts does not have a redirect tag, but there is nothing preventing you from using JSTL.
 
bablu singh
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Login Interceptor was my customized interceptor, that checks whether user is logged in or not. You are right we can define in a stack.

I searched and found about implementing the security using

I tried but no luck.

Is this the good idea if I move all my jsp to WEB-INF folder?

Please Suggest.
 
Joe Ess
Bartender
Posts: 9626
16
Mac OS X Linux Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

bablu singh wrote:
I searched and found about implementing the security using
...
I tried but no luck.



I copied your code above, placed it into the web.xml of a sample application I have, redeployed and it worked as expected. When I attempt to access a JSP file, it prompts for one's credentials and if you do not provide them (you can't, as that role is unassigned), returns a "401 Unauthorized" error. This is on Weblogic 10.0.3. What container are you using?

bablu singh wrote:
Is this the good idea if I move all my jsp to WEB-INF folder?



I have seen this approach recommended more than once. I personally have never used it.
 
bablu singh
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for clarification.

I am using Apache Tomcat. It also worked for me with little changes.

So, if I choose any of the above approach, I need to create the directory for all those files (adding into the URL pattern in web.xml) that I want to restrict and rest are publically available.

So, for restricted files, it will ask for credentials. What credentials to be used, one that I stored in my DB while creating a new user or the roles that I defined in the tomcat users file. If its tomcat user roles the how the end user would know these credentials?

Thanks.
 
Joe Ess
Bartender
Posts: 9626
16
Mac OS X Linux Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

bablu singh wrote: If its tomcat user roles the how the end user would know these credentials?



Here is the relevant section of the Tomcat documentation. There are several options, including the Tomcat conf/tomcat-users.xml file and an external database.
 
reply
    Bookmark Topic Watch Topic
  • New Topic