• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Junilu Lacar
  • Liutauras Vilda
Sheriffs:
  • Paul Clapham
  • Jeanne Boyarsky
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Piet Souris
  • Carey Brown
Bartenders:
  • Jesse Duncan
  • Frits Walraven
  • Mikalai Zaikin

Struts Validation with a LoginInterceptor

 
Greenhorn
Posts: 26
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I've been working on the login portion of a web app I'm creating. I got everything up and running, but I now want to improve my implementation to be more robust and resilient to various possible user access.

My original implementation involved invoking an action listed in my struts.xml, performing the code in the execute method and then transitioning to the main jsp. With this implementation, I could create a actionName-validation.xml and get the struts validation interceptor to perform validation on my action prior to invoking the code in the execute method.

My new implementation hinges around the creation of an Interceptor. This interceptor is invoked on EVERY action call. The interceptor checks to see if the user is logged on. If the user is logged on, the interceptor simply delegates the flow of control to the next interceptor (or the action). If the user isn't logged on and they have just attempted to log on, this code then performs a user validation to check they have entered valid log-on credentials. By valid, I simply mean the combination exists in the database. If the interceptor successfully validates the user, they are then forwarded to whichever action they were attempting to perform at that time.

So in a nutshell, this is the problem. In order to develop a solution to authenticating users regardless of the address/action they enter, I need an interceptor, hence the creation of my Login Interceptor. I would however like to use struts validation to validate the user has entered valid credentials and they are in the valid format before they get to my interceptor. I'm not entirely sure how to achieve this as validation.xml is meant to be tied to an action, but in my case, any action could re-direct to my login page which in turn on submission will be re-directed to another page.

I could create essentially a dummy action containing the attributes on my login form, create a validation file (or use annotations) and then ensure the struts validate interceptor is called before my login interceptor. I would then simply forward the execute of my dummy action to the actual action the user was trying to invoke.

Before resorting to this, I just wanted to see if there were more elegant solutions to this problem.

FYI, my implementation closely relates to the implementation that can be found at the following url: http://www.vitarara.org/cms/struts_2_cookbook/creating_a_login_interceptor

Appreciate any advice.

Many Thanks.
 
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
IMO an interceptor should not be used to *do* the login: logging in isn't a cross-cutting concern. Login should be handled by an action, just like any other form input would be.

Checking to see whether or not they're logged in *is* a cross-cutting concern, and *should* be handled with an interceptor (or similar).
 
Mark Brownengland
Greenhorn
Posts: 26
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I agree in principle with your statement. The action of logging in is not a cross cutting concern. Security adherence however is. My argument would be that one possible implementation which I have taken is to wrap the action of logging in with checking the user is logged in through conditional logic within the single Interceptor.

I suppose I could re-implement so that the act of an interceptor determining a user is not logged in, triggers the execution of an action to log a user in. Once a user has logged in, the interceptor would then permit the execution of other actions dependent on the user having appropriate permissions.

Interested in the thoughts of others as to the best practices to take in developing authentication with the Struts 2 framework.

Many Thanks.
 
David Newton
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
But the action (note the terminology) of "logging in" is a *very* different concept, requiring very different implementation, than that of "checking to see if the user is logged in".
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic