I've been working on the login portion of a web app I'm creating. I got everything up and running, but I now want to improve my implementation to be more robust and resilient to various possible user access.
My original implementation involved invoking an action listed in my struts.xml, performing the code in the execute method and then transitioning to the main jsp. With this implementation, I could create a actionName-validation.xml and get the struts validation interceptor to perform validation on my action prior to invoking the code in the execute method.
My new implementation hinges around the creation of an Interceptor. This interceptor is invoked on EVERY action call. The interceptor checks to see if the user is logged on. If the user is logged on, the interceptor simply delegates the flow of control to the next interceptor (or the action). If the user isn't logged on and they have just attempted to log on, this code then performs a user validation to check they have entered valid log-on credentials. By valid, I simply mean the combination exists in the database. If the interceptor successfully validates the user, they are then forwarded to whichever action they were attempting to perform at that time.
So in a nutshell, this is the problem. In order to develop a solution to authenticating users regardless of the address/action they enter, I need an interceptor, hence the creation of my Login Interceptor. I would however like to use struts validation to validate the user has entered valid credentials and they are in the valid format before they get to my interceptor. I'm not entirely sure how to achieve this as validation.xml is meant to be tied to an action, but in my case, any action could re-direct to my login page which in turn on submission will be re-directed to another page.
I could create essentially a dummy action containing the attributes on my login form, create a validation file (or use annotations) and then ensure the struts validate interceptor is called before my login interceptor. I would then simply forward the execute of my dummy action to the actual action the user was trying to invoke.
Before resorting to this, I just wanted to see if there were more elegant solutions to this problem.
I agree in principle with your statement. The action of logging in is not a cross cutting concern. Security adherence however is. My argument would be that one possible implementation which I have taken is to wrap the action of logging in with checking the user is logged in through conditional logic within the single Interceptor.
I suppose I could re-implement so that the act of an interceptor determining a user is not logged in, triggers the execution of an action to log a user in. Once a user has logged in, the interceptor would then permit the execution of other actions dependent on the user having appropriate permissions.
Interested in the thoughts of others as to the best practices to take in developing authentication with the Struts 2 framework.