Help coderanch get a
new server
by contributing to the fundraiser
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

Customer not Logged in

 
Ranch Hand
Posts: 71
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi folks,

The Use Case Specifications mentions that the user has to be logged in otherwise 'Alternative Flows' starts.

So I wonder who controlls this:

a) The FrontController
b) The Business Delgate

I go for the first option: FrontController.

I would be glad to hear your opinions.

Lucy
 
Ranch Hand
Posts: 446
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
BusinessDelegate is definitely out as it is out of the realms of its responsibility?

How about ApplicationController (or RequestProcessor) ? Based on the definition of the Command it decides to redirect the user to login page. Something like Comand X, Y, and Z require user to be logged in, is part of the Command definition.

Or it could be done by InterceptingFilter.
 
Lucy Hummel
Ranch Hand
Posts: 71
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Deepak,

Your idea about using the InterceptingFilter is at the moment my favorite .

Thanks for telling. Let see, if I will make it with this design pattern.

Lucy
 
Ranch Hand
Posts: 463
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi ,
Looking at the Petstore code,the way they implement it is through intercepting filter, but I confused about the use of both Createuser and CreateCustomerActions ,arent they really the same.
There is a signOnEvent which is actually created independent from the appplication controller. The signOnNotifier creates this event and sends it to the webcontroller --ejbcontroller -- etc...
Now the point is using a BD wouldnt the same events also be called by the business delegate for the application then where is the BD out of the realm scope.. ?

Can u please clarify.
Thanks
Dhiren
 
Deepak Pant
Ranch Hand
Posts: 446
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1. Detection of the fact that user is logged in or not has to be part of the someone very close to Controller. It could be InterceptingFilter (like in Petstore) or it could be ApplicationController (like in Struts). A class called RequestProcessor is an example of ApplicationController implementation.

2. If InterceptingFilter does this detection then it needs some kind of metadata for performing this check. In petstore a separate xml file is maintained and used by the InteceptingFilter to find out if a particular request requires user to be logged in

3. If ApplicationController does this detection then the metadata can be part of the command definition that is anyways needed for ApplicationController to work. For example: Struts config file can be extended by using custom ActionMapping class to contain this information. This information can then be used in one of the overrideable methods of RequestProcessor class.

4. Another strategy could be as simple as imposing a security constraint in the web.xml descriptor file.

Personally I think keeping config information in one central place makes life easier for developers, deployers etc.

5. The reason I said BusinessDelegate is out of question here is because:
- They are proxies to the actual facades.
- They should not contain any kind of rules or business logic
- They encapsulate complexities hidden behind invoking Facades

6. However the actual logic of authenticating the user credential can be used passed onto the EJB tier using a delegate.
 
Dhiren Joshi
Ranch Hand
Posts: 463
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Deepak clarified lots of issues for me.

Some more queries I have.


1. Detection of the fact that user is logged in or not has to be part of the someone very close to Controller. It could be InterceptingFilter (like in Petstore) or it could be ApplicationController (like in Struts). A class called RequestProcessor is an example of ApplicationController implementation.



If I am not mistaken this part is handled by singOnNotifier. The way it is implemented in Web tier is it implements HttpSessionListener so just creation of session calls the implementation method where the actually logic to creats an event and sesnds it to the EJB Tier. How would this work for the application client. No signon notiifer there .. ?



2. If InterceptingFilter does this detection then it needs some kind of metadata for performing this check. In petstore a separate xml file is maintained and used by the InteceptingFilter to find out if a particular request requires user to be logged in


I was going through the SignOnFilter code there is a doFilter implementation . .Is that what u are referring to ?


3. If ApplicationController does this detection then the metadata can be part of the command definition that is anyways needed for ApplicationController to work. For example: Struts config file can be extended by using custom ActionMapping class to contain this information. This information can then be used in one of the overrideable methods of RequestProcessor class.



When u mention the above are u saying that the config.xml file holds all the protected resource similar to the petstore configs.xml what would be different if the same are held by web.xml infact the XML config is similar to web.xml configs except its not centralised in web.xml. ? What do u mean by the overrideable methods ... A template method type of implementation .. .?


4. Another strategy could be as simple as imposing a security constraint in the web.xml descriptor file.

Personally I think keeping config information in one central place makes life easier for developers, deployers etc.



R u referring to imposing container declarative security ?

I still have queries on : Why is there a need of a UserEvent and a CustomerEvent. isnt customer a user. I will try explaining what I have understood. Please correct me if that explaination is incorrect.

The customer has already been created and all the information is in the database.
Now a user who is a customer logs in ...SignInnotifier notifes the EJB tier using the SignOnEven -- >SignOnEJB to load the user as well as the Customer information and profile.
I will try explaining the UserEvent and CustomerEvent

If validation fails obviously it goes to Customer page for customer creation and the CustomeEvent invoked for creating a new customer.

UserEvent is only going to be invoked by the SignOnNotifer even though under the covers it loads the customer.

But the confusion comes becuase of these taken from web.xml

This shows user and customer actions as separate events. But since they are both called at one go,why have the two actions been broken. They could very well have been combined as one action like CustomerLoginAction.?

Thanks
Dhiren

[ December 30, 2004: Message edited by: Dhiren Joshi ]
[ December 31, 2004: Message edited by: Dhiren Joshi ]
 
Ranch Hand
Posts: 90
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thinking of using an intercepting filter.
Example of how it is included in sequence diagram:
http://java.sun.com/developer/EJTechTips/2002/tt0919.html

I am using application Controller and intercepting filter (for authentication).
How is this displayed for post processing in sequence diagram?
1. Application Controller dispatches to Intercepting filter
2. Intercept Filter then dispatches to JSP? (or calls alt flow)
(seems a little bit odd have a Intercepting filter dispatch to a JSP)
I think the answer is here:
http://java.sun.com/j2ee/patterns/DecoratingFilter.html

When the request is post-processed. (because user has to logon to view result)
Is the result JSP (which is restricted) generated (and cached) before the user is redirected to the logon page.
Or is the JSP generated after the user has logged on?

In other words, is the (post processing) filter applied, before or after
the JSP has been generated.
If this is the Case the JSP is cached by the the Intercepting Filter
Sounds logical, Is this correct?

thanks,
J
:roll:
[ February 19, 2005: Message edited by: Josep Andreas ]
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic