File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Struts and the fly likes Session Tracking In struts Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Session Tracking In struts" Watch "Session Tracking In struts" New topic
Author

Session Tracking In struts

shiva sarna
Greenhorn

Joined: Jul 23, 2006
Posts: 23
Hi,

I have an appication developed in struts. I have two interfaces one for student and another for admin. when I login as student I can access pages of Admin if I want to and vice sa versa. I want to stop this example if i log on as student and I cut copy paste a url from admin side i should not be able to view it.

Is there any way by which i can acheive this in struts.

Thanks

Protozoa


SCJP 5.0
Dom Lassy
Ranch Hand

Joined: May 05, 2006
Posts: 181
You can create your own action mapping class.

See this thread:
http://www.coderanch.com/t/53826/Struts/Struts-Session-Validation-Best-Practices

You can then extend Action and have a preprocess method that does the validation.
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
However you do it, the important thing is that each Action for which only an administrator is allowed access must check the profile. If the profile is student, it should forward to a "Not Authorized" error page.


Merrill
Consultant, Sima Solutions
shiva sarna
Greenhorn

Joined: Jul 23, 2006
Posts: 23
Thanks merril and dom, it worked.

I validated the user on each action class and based on whether they are autherised to view a certain page I direct them to proper jsp pages.

thanks again

protozoa
Brent Sterling
Ranch Hand

Joined: Feb 08, 2006
Posts: 948
A similar task is currently on my "to do" list. I took a look at the other thread and I see that I added advice on how to create a custom ActionMapping class. I wonder if I could have given advice that would have made Dom's life easier.

Looking at the attributes available on the action element, I see one named roles. The basic description for this attribute is "A comma-delimited list of security role names allowed to invoke this Action." Maybe he did not need to create a custom ActionMapping class, but instead could have just used this attribute. That is what I plan on doing.

Looking at the default code in RequestProcessor, the code looks like what I need for my project. I already have roles defined in web.xml and users are mapped to roles. The default code throws a 400 error if the role check fails. I already have custom RequestProcessor, so it would not be a big deal to override the processRoles method if I wanted to customize the behavior.

- Brent
[ August 10, 2006: Message edited by: Brent Sterling ]
Dom Lassy
Ranch Hand

Joined: May 05, 2006
Posts: 181
If you get the "role" attribute implemented can you post an example of it? I'm having trouble finding any documentation of it, other than how to define a role for a given action.

Is it as simple as getting the required roles from mapping.getRoleNames() and doing a string comparison of the role for each request?
shiva sarna
Greenhorn

Joined: Jul 23, 2006
Posts: 23
Hi,

Please explain me how can we assign roles and map them.

It is a good idea to assign roles and map them and then just check which role can access which action.

If you have any example or any document that I can refer, tehn it will be great help.

thanks

shiva
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
In your Action mapping:

roles="xyz, abz"

In your Action class:



The above assumes that you are using J2EE container security and making known your user's credentials to the container. For more details on this, read chapter 32 of Sun's J2EE Tutorial
[ August 16, 2006: Message edited by: Merrill Higginson ]
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
Since I posted the above, I realized that the code in the Action class isn't necessary. If you specify one or more roles in your action mapping, Struts will check the roles before it calls execute on your Action class. If the user isn't authorized, I believe it sends a "404" exeption to the browser.
Brent Sterling
Ranch Hand

Joined: Feb 08, 2006
Posts: 948
If I get something working I will let you know. For the record I have pasted the source code from Struts 1.1 source below. It is basically what Merrell posted. If you are not using J2EE...err...JEE security then it would be pretty easy to implement your own processRoles method. Maybe you could store a list of the user's current roles on the session and then check that against the list that you get from mapping.getRoleNames().

My one concern about using this mechanism is that it could introduce a lot of development and testing overhead to a large project. Think about defining exactly what roles should be applied to 100's of action mappings and then what if you add a new role. It is doable and maybe important enough that it should be done but it will be a bit of work for my team to retrofit into an existing application.


- Brent
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session Tracking In struts
 
Similar Threads
[imp] how can we sort the objects in Collections
Design problem with Session
Once HTML pages are created how do i link it to servlets without JSP.
Designing with Interface or Abstract class
Student, Course, Admin Design Question